Skip to content
SAS 145

SAS 145 guidance: Identifying and evaluating general IT controls

Alison Parker, CPA  Executive Editor, Thomson Reuters

Stephanie D. Lanke, CPA  Senior Consultant, Thomson Reuters

· 5 minute read

Alison Parker, CPA  Executive Editor, Thomson Reuters

Stephanie D. Lanke, CPA  Senior Consultant, Thomson Reuters

· 5 minute read

As we complete our examination of the impacts of SAS 145 for tax and accounting professionals, we’ll build on our previous posts on risk assessmentdocumentation and analysis, and balancing scope and complexity in auditing. In this last post, we’ll look at risks that can arise from the use of IT in accounting and auditing.

General IT controls

Keeping in line with advancements in technology and the widespread use of automation tools and techniques, SAS 145 acknowledges the use of IT by both auditors and clients and expressly defines the risks arising from the use of IT.

No, this doesn’t mean that auditors need to become IT experts. It does mean they need to think of IT use in terms of assertions. They also need to evaluate the complexity of a system, even off-the-shelf software packages, and all that is included.

SAS 145 provides enhanced and new definitions for the terms “general IT controls” and “risks arising from the use of IT,respectively. Under the new standard, auditors are required to identify general IT controls that address the risks arising from the use of IT and, when they relate to certain identified controls, as discussed in a previous post, and to evaluate their design and determine their implementation.

What is the definition of general IT controls?

SAS 145 defines “general IT controls” as: “Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.”

Examples of general IT controls include:

  • Authentication
  • Privileged access
  • Change management policies and procedures
  • Backup and recovery
  • Intrusion detection

Under SAS 145, “risks arising from the use of IT” is defined as: “Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.”

Thinking in terms of assertion, firms may still be wondering what IT controls to consider. The answer: those IT controls that impact the risk of material misstatement at the assertion level.

What are the risks of using IT?

To assist auditors, SAS 145 outlines several considerations to help determine whether IT applications are subject to risks arising from the use of IT.

For example, characteristics of higher risk IT applications may include:

  • The volume of data or transactions is significant.
  • Applications are interfaced.
  • The application’s functionality is complex (e.g. it automatically initiates transactions, and there are a variety of complex calculations underlying automated entries).
  • Management relies on an application system to process or maintain data, and management relies upon the application system to perform certain automated controls that the auditor has also identified.

Characteristics of a lower risk IT application include:

  • The volume of data (transactions) is not significant.
  • Applications stand-alone.
  • Each transaction is supported by original hard copy documentation.
  • The application’s functionality is not complex.


For all the advantages that technology provides for firms, it is important to understand the possible implications general IT controls can have. This is especially true with regard to risk assessment and the potential for material misstatement.

Take action now to ensure that your firm is fully prepared to manage the impact of SAS 145. To learn more, view our webinar offering early guidance on SAS No. 145.

Visit our SAS 145 Hub for more information.

This is the final post in a four-blog series about SAS 145 and its impact on tax and accounting professionals. Check out the first three posts below:

More answers