Certifying automated IT controls
Common challenges and suggested solutions
Information technology (IT) has transformed the way in which business is conducted. Extensive automation of business processes and data processing has led to IT becoming pervasive across all functional areas of business. It is critical in accounting and financial reporting processes, where internal controls over financial reporting are frequently embedded within software applications. As a result, compliance with the numerous regulations in force requires organisations to identify, document and test their numerous embedded IT controls.
Embedded application/automated controls offer several advantages over manual controls: not only are they more effective, but they require fewer samples and, once benchmarked and baselined, can be subject to an audit rotation plan and tested once every three years.
It has been relatively straightforward for IT departments to identify and test IT general controls, including the internal controls that organisations implement over IT management processes such as computer operations, change management and problem management. However, the proper identification, documentation and testing of internal controls embedded within the various software applications has proven more complex than anticipated.
While there are no hard and fast rules for dealing with the challenges related to automated IT controls, experience suggests some best practices. So regardless of how your organisation chooses to resolve these issues, it is critical that you consider IT challenges as part of your certification process and proactively develop a well-supported strategy to identify and resolve automated IT control deficiencies.
Read Deloitte & Touche LLP - Canada's Baskaran Rajamani's full article here.