View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Define the relationship between business risk, IT general controls risk, and the IT general controls that can mitigate these threats as they pertain to financial reporting objectives
Helps organizations to examine each financially significant application and determine whether failures in the IT general control processes at each layer of the IT infrastructure represent a likely threat to the consistent operation of the application's critical functionality – HOW TO APPLY THE PRINCIPLES
Improves cost effectiveness of IT General Controls auditing by including within audit scope only the elements or layers of infrastructure and IT general control processes that are relevant to financial control risks.
STEP 1 : validate understanding STEP 2 : perform risk assessment at each layer STEP 3 : Conclude: is it REASONABLY LIKELY a failure in this IT Process area could impact application controls & result in a material misstatement? Risk is not eliminated; is it reduced to a REASONABLE level.
The identification of risks and related controls in IT business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network.
Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
Application: contains functionality relied upon to assure the integrity of the financial reporting process.
Should that functionality not function consistently and correctly, there is at least a reasonable likelihood of a material misstatement that would not be prevented or detected.
Data: data that, if affected by an unauthorized change that bypasses normal application controls (i.e., as a result of an ITGC failure), is at least reasonably likely to result in a material misstatement that would not be prevented or detected.
What IT functionality in the financially significant applications is critical to the proper operation of the business process key controls that prevent/detect material misstatement?
For each IT process at each layer in the stack, is there a reasonable likelihood that a process failure would cause the critical functionality to fail — indirectly representing a risk of material misstatement?
If such IT business process risks exist, what are the relevant IT control objectives?
The GAIT Methodology
Phases of GAIT Methodology Identify controls over financial reporting to provide reasonable assurance as to their reliability Identify and validate critical IT functionality Identify significant applications where ITGCs need to be tested Identify ITGC process risks and related control objectives Identify ITGC to test that meet control objectives AS5 Phase 1 Phase 2 Phase 3 Phase 4 Perform a reasonable person review Phase 5
Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements.
The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting.
Role of IT
The auditor should assess the extent of information technology ("IT") involvement in the period-end financial reporting process;
The identification of risks and controls within IT should not be a separate evaluation but, rather, an integral part of the auditor's top down risk assessment, including identification of significant accounts and disclosures and their relevant assertions, as well as the controls to test.
Factors that affect the risk associated with a control include:
The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls);
Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective);