During the COVID-19 pandemic, deferring maintenance of controls over financial reporting has become more prominent in work-from-home environments. This is likely caused by companies prioritizing pressing concerns related to staffing and resourcing, or by finance and accounting staff working remotely—which could put an organization at risk for increased cyberthreats.
Most companies defer the maintenance of financial data controls for years due to time and money constraints. However, well-designed information technology (IT) controls are foundational for optimizing a company’s operations, providing transparency, and protecting its most precious resource—its data.
While remote work environments are testing organizations’ IT infrastructures like never before, they could provide an opportunity to confront your company’s deferred maintenance. By asking external auditors to examine how well your organization’s IT controls are designed and operating, your organization may be able to reduce cyberthreats within a risk-heightened work-from-home environment.
Not everyone agrees IT controls testing should be included as part of their audit of financial statements. What’s the value of testing IT controls when an audit opinion can still be gained by sampling a large number of financial transactions and tying these transactions back to source documents?
When audit committees and chief financial officers (CFOs) hire auditors, they often aspire to:
- Combat fraud
- Improve the reliability of financial reporting
- Boost investor confidence
Executives who recognize the advantages of including IT controls testing in their audits understand there are many unexpected benefits.
These benefits include:
- Accelerated employee onboarding
- Informed employees who understand controls responsibility and IT risk
- Time- and cost-savings when implementing new financial reporting systems
- Automated controls embedded in the company’s enterprise resource planning (ERP) system
- Reduced inconsistencies in data definitions
- Reduced duplicative controls in business processes and redundant information systems at remote locations
- Increased regulations preparedness
- Increased assurance in cybersecurity programs
Company leaders may try to leverage data, optimize company operations, and avoid potentially bad decisions for years. However, the very act of testing IT controls forces auditors to conduct interviews and request documentation from those who operate control activities, which leads to clear operations improvements and reduced errors in financial reporting.
When auditors assess the design and operation of IT controls, they interview employees in finance and IT departments responsible for:
- Controlling access to financial data
- Approving and testing changes to systems that impact financial reporting
- Protecting the company from cyberattacks
Management often discovers that employees signing off on user access reviews are only glancing at the users in question. This means they’re not taking the time to understand how underlying roles and permissions users have accumulated over time or breaking down critical segregation of duties.
After considering the results of the interviews and inspecting corresponding evidence, auditors identify control gaps and communicate them to management, the CFO, and sometimes the audit committee of the board.
Identifying control gaps is critical as companies face dangerous trends and data breaches.
These trends include:
- Increased phishing and malware attacks and corresponding data leaks
- New regulations—for example, California’s Consumer Privacy Act (CCPA)
- Shortage of finance, accounting, and IT professionals who understand controls
- More users with extended privileges or access to sensitive accounts, especially those who oversee the financial close and reporting process
- Increased data entry points due to remote access
- Management of applications without the IT department’s knowledge
When auditors test controls, management could discover many job descriptions need updating. Improved documentation helps companies onboard new employees more quickly and could be the fastest way to share knowledge when working remotely.
Merger and acquisition activity rarely includes plans to absorb a company into the buyer’s larger operational structure. This can lead to redundant applications, databases, and operating systems that create unnecessary risk and confusion.
Following IT-controls testing, some of these systems could be consolidated—allowing separate business units to report financial information on a single financial application, while reducing systems redundancies and strengthening operations.
Minimization of Errors
Manual processes could be one of the weakest links in a company’s operations, and working from home introduces distractions and other stresses that could disrupt effective operation of controls.
An IT controls assessment may reveal that your company needs to adopt an automated ERP resource, which consolidates manual processes into a single cloud-based system. An ERP system can also combine data from all company braches, while allowing management to track changes and address risk from any location at any time.
Ask your audit partner if they plan to include IT controls assessment as part of this year’s audit. If your audit already includes an IT controls assessment, ask what control gaps were identified during last year’s procedures, and understand what your company has done to remediate these.
Be sure to also ask your audit partner to explain the pros and cons of assessing the design and operating effectiveness of IT controls over your financial systems.
We’re Here to Help
If you have any questions about incorporating IT controls into your audit process, please contact your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: