IT control testing is an audit procedure an organization uses to test the effectiveness of an IT control to ensure automated controls operate correctly and that key financial reporting reports are accurate and complete.

Depending on the results of IT control tests, auditors may choose to rely upon an organization’s system of controls as part of their auditing activities. However, if the controls aren’t designed or operating effectively, auditors increase their use of substantive testing, which usually increases the cost of an audit.

The benefits of IT control testing include:

• Accelerated employee onboarding
• Informed employees who understand controls responsibility and IT risk
• Time- and cost-savings when implementing new financial reporting systems
• Automated controls embedded in the company’s enterprise resource planning (ERP) system
• Reduced inconsistencies in data definitions
• Reduced duplicative controls in business processes and redundant information systems at remote locations
• Increased regulations preparedness
• Increased assurance in cybersecurity programs

Not everyone agrees IT controls testing should be included as part of their audit of financial statements. What’s the value of testing IT controls when sampling a large number of financial transactions and tying these transactions back to source documents can still result in an audit opinion? Company leaders may try to leverage data, optimize company operations, and avoid potentially bad decisions for years.

However, the very act of testing IT controls forces auditors to conduct interviews and request documentation from those who operate control activities, which leads to clear operations improvements and reduced errors in financial reporting.

When audit committees and chief financial officers (CFOs) hire auditors, they often aspire to:

• Combat fraud
• Improve the reliability of financial reporting
• Boost investor confidence

Executives who recognize the advantages of including IT controls testing in their audits understand how their organization benefits.

First, the external auditors will interview key employees. Then, the auditors seek to identify control gaps.

Interviews

When auditors assess the design and operation of IT controls, they interview employees in finance and IT departments who:

• Control access to financial data
• Approve and test changes to systems that impact financial reporting
• Protect the company from cyberattacks

Management often discovers that employees signing off on user access reviews only glance at the users in question. This means they don’t take time to understand how users accumulate underlying roles and permissions over time or to enforce segregation of duties.

Identification

After considering the results of the interviews and inspecting corresponding evidence, auditors identify control gaps and communicate them to management, the CFO, and sometimes the audit committee of the board.

Identifying control gaps is critical as companies face dangerous trends and data breaches.

These trends include:

• Increased phishing and malware attacks and corresponding data leaks
• New regulations—for example, California’s Consumer Privacy Act (CCPA)
• Shortage of finance, accounting, and IT professionals who understand controls
• More users with extended privileges or access to sensitive accounts, especially those who oversee the financial close and reporting process
• Increased data entry points due to remote access
• Management of applications without the IT department’s knowledge

Many benefits stem from including IT control testing in your organization’s audits; three potential outcomes to anticipate include:

• Improved documentation
• Reduced systems complexity
• Minimization of errors

Improved Documentation

When auditors test controls, management could discover many job descriptions need updating. Improved documentation helps companies quickly onboard new employees and could be the fastest way to share knowledge when working remotely. 

Reduced Systems Complexity 

Merger and acquisition (M&A) activity rarely includes plans to absorb a company into the buyer’s larger operational structure. This can lead to redundant applications, databases, and operating systems that create unnecessary risk and confusion.

Following IT-controls testing, some of these systems could be consolidated—allowing separate business units to report financial information on a single financial application, while reducing systems redundancies and strengthening operations.

Error Minimization

Manual processes could be one of the weakest links in a company’s operations, and working from home introduces distractions and other stresses that could disrupt effective operation of controls.

An IT controls assessment may reveal that your company needs to adopt an automated ERP resource, which consolidates manual processes into a single cloud-based system. An ERP system can also combine data from all company branches, while allowing management to track changes and address risk from any location at any time.