How to Assess IT General Control Deficiencies for SOX

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

This is not an easy task. Why, because deficiencies in IT General Controls (ITGC) are not directly linked to the risk of a material error in the financial statements.

 
Instead, ITGC provide assurance of the continued and proper operation of the automated functionality that management relies upon. That automated functionality, which both the SEC and IIA (in its guidance) refer to as critical functionality, includes (a) automated controls, (b) the automated part of semi-automated or hybrid controls (such as the report used in a control), and (c) the security of information, where unauthorized changes might be made bypassing controls and result in a material misstatement.

 

In other words, ITGC failures have an indirect effect on the integrity of the financial statements. They affect key controls in business processes (those that contain critical functionality), and only those key controls in business processes have a direct effect.

 

For more on how to identify the ITGC key controls to include in a SOX program scope see this post.

 

When a deficiency is found in a key ITGC, it is necessary to identify the critical functionality that might be affected. That may be one or many automated and semi-automated controls. Then, judgment is required as to whether the deficiency, when considered together with other manual and automated controls that are working, represents at least a reasonable likelihood of a significant or material error.

 

Fortunately, the IIA has published a Practice Guide (which is strongly recommended guidance) on the assessment of ITGC deficiencies as part of its GAIT family of products. GAIT for IT General Controls Deficiency Assessment is a free download for IIA members.

 

The assessment process is built on six principles:

  1. In order to assess ITGC deficiencies, it is necessary to understand the ‘reliance chain’ between the financial statements and the ITGC key controls that have failed.
  2. In order for there to be a material weakness, two tests have to be met: (a) likelihood and (b) impact (the potential misstatement of the financial statements).
  3. Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct.  The assessment is in stages or steps, and the likelihood and impact tests are applied across the combination of the steps.
  4. All ITGC deficiencies that relate to the same ITGC control objective should be assessed as a group.
  5. All ITGC control objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
  6. The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies relating to the same significant account or disclosure — be considered as a group.

 

The principles and the detailed assessment process, which has ten steps, are explained in the Practice Guide and I refer you to that document.

 

Questions:

1.       Are you familiar with this Practice Guide? If not, why not?

2.       Do you find it useful?

 

Posted on Jan 25, 2013 by Norman Marks

Share This Article:    

  1.  Hi Norman

    Timely reminder!

    We (I) plead guilty to sometimes not spending enough time on the IT side of internal auditing as on other aspects.

    The 5th principle is duplicated.

    In case you can't edit the mistake out - the 6th principle should be:

    6. The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies relating to the same significant account or disclosure — be considered as a group.

    Great!

  1.  Thanks, Kaya!

Leave a Reply