Control Environment: Obtain an Understanding
An auditor needs to obtain an understanding of how an entity has responded to risks arising from the use of IT and assess the design and implementation of relevant IT general controls. The following procedures can be performed to achieve this objective:
- Review IT policies and procedures: Obtain and evaluate the entity’s IT policies and procedures, focusing on areas such as access control, change management, data backup, security incident management, and system development.
- Understand the IT environment: Gain an understanding of the organization’s IT environment, including its hardware, software, networks, data centers, and relevant third-party service providers. This can involve reviewing system architecture diagrams, process flowcharts, and IT service agreements.
- Identify key IT risks: Assess the key IT risks relevant to the entity and its financial reporting process, considering factors such as the complexity of the IT environment, the use of third-party service providers, and the nature of the entity’s business operations.
- Evaluate the entity’s risk management process: Review the entity’s risk assessment and risk management process, including how IT risks are identified, assessed, prioritized, and managed. This may involve reviewing risk registers, risk assessment reports, and management’s response to identified risks.
- Interview management and IT personnel: Conduct interviews with key personnel involved in IT risk management, including IT management, system administrators, and business process owners, to gain insights into the design and implementation of IT controls.
- Walkthroughs and observations: Perform walkthroughs of key IT processes and observe control activities in action, such as user access provisioning, change management processes, or system backup procedures.
- Review previous audit findings and recommendations: Examine any previous internal or external audit findings related to IT controls, assessing how the entity has addressed these issues and implemented any recommended improvements.
- Test the design and implementation of IT general controls: Select a sample of relevant IT general controls and perform tests of design and implementation. This may include:a. Evaluating the appropriateness of access controls, such as user access provisioning and deprovisioning, segregation of duties, and password policies.b. Assessing the effectiveness of change management controls, including the authorization, documentation, testing, and approval of changes to systems and applications.c. Reviewing system development life cycle (SDLC) controls, such as project management, system design, testing, and deployment processes.d. Examining IT operations controls, such as system monitoring, backup and recovery procedures, and incident response plans.e. Evaluating the oversight and monitoring of third-party service providers, including service level agreements (SLAs) and vendor management processes.
- Document findings: Document the results of the procedures performed, including any identified control deficiencies, and communicate the findings to the appropriate level of management.
By performing these procedures, auditors can obtain an understanding of how an entity has responded to risks arising from the use of IT and assess the design and implementation of relevant IT general controls. This information can be used to plan and execute further audit procedures, including substantive tests and tests of controls, as appropriate.