During the COVID-19 pandemic, work-from-home environments became normal, often deferring the maintenance of internal controls over financial reporting (ICFR). Organizations tend to prioritize pressing staffing and resourcing concerns during times of disruption—which could put the entity at risk for mutating cyber variants.
Most companies defer the maintenance of ICFR for years due to staffing and budget constraints. However, well-designed information technology (IT) controls are foundational for optimizing a company’s operations, providing transparency, and protecting its most precious resource—its data.
Remote work environments might be the norm for a long time and test organizations’ IT infrastructures as never before. It’s likely time to confront your organization’s deferred maintenance. By asking external auditors to examine how well your organization’s IT controls are designed and operate, your organization can reduce its exposure to cyber variants, both within a work-from-home environment and overall.
This article answers the following questions:
- What Is IT Control Testing?
- What Are the Benefits of IT Control Testing?
- What Is the Benefit of Including IT Control Testing in Audits?
- What Does the Assessment Process Look Like When Audits Include IT Control Testing?
- What Are the Potential Outcomes of IT Control Testing?
What Is IT Control Testing?
IT control testing is an audit procedure an organization uses to test the effectiveness of an IT control to ensure automated controls operate correctly and that key financial reporting reports are accurate and complete.
Depending on the results of IT control tests, auditors may choose to rely upon an organization’s system of controls as part of their auditing activities. However, if the controls aren’t designed or operating effectively, auditors increase their use of substantive testing, which usually increases the cost of an audit.
What Are the Benefits of IT Control Testing?
The benefits of IT control testing include:
- Accelerated employee onboarding
- Informed employees who understand controls responsibility and IT risk
- Time- and cost-savings when implementing new financial reporting systems
- Automated controls embedded in the company’s enterprise resource planning (ERP) system
- Reduced inconsistencies in data definitions
- Reduced duplicative controls in business processes and redundant information systems at remote locations
- Increased regulations preparedness
- Increased assurance in cybersecurity programs
What Is the Benefit of Including IT Control Testing in Audits?
Not everyone agrees IT controls testing should be included as part of their audit of financial statements. What’s the value of testing IT controls when sampling a large number of financial transactions and tying these transactions back to source documents can still result in an audit opinion? Company leaders may try to leverage data, optimize company operations, and avoid potentially bad decisions for years.
However, the very act of testing IT controls forces auditors to conduct interviews and request documentation from those who operate control activities, which leads to clear operations improvements and reduced errors in financial reporting.
When audit committees and chief financial officers (CFOs) hire auditors, they often aspire to:
- Combat fraud
- Improve the reliability of financial reporting
- Boost investor confidence
Executives who recognize the advantages of including IT controls testing in their audits understand how their organization benefits.
What Does the Assessment Process Look Like When Audits Include IT Control Testing?
First, the external auditors will interview key employees. Then, the auditors seek to identify control gaps.
When auditors assess the design and operation of IT controls, they interview employees in finance and IT departments who:
- Control access to financial data
- Approve and test changes to systems that impact financial reporting
- Protect the company from cyberattacks
Management often discovers that employees signing off on user access reviews only glance at the users in question. This means they don’t take time to understand how users accumulate underlying roles and permissions over time or to enforce segregation of duties.
After considering the results of the interviews and inspecting corresponding evidence, auditors identify control gaps and communicate them to management, the CFO, and sometimes the audit committee of the board.
Identifying control gaps is critical as companies face dangerous trends and data breaches.
These trends include:
- Increased phishing and malware attacks and corresponding data leaks
- New regulations—for example, California’s Consumer Privacy Act (CCPA)
- Shortage of finance, accounting, and IT professionals who understand controls
- More users with extended privileges or access to sensitive accounts, especially those who oversee the financial close and reporting process
- Increased data entry points due to remote access
- Management of applications without the IT department’s knowledge
What Are the Potential Outcomes of IT Control Testing?
Many benefits stem from including IT control testing in your organization’s audits; three potential outcomes to anticipate include:
- Improved documentation
- Reduced systems complexity
- Minimization of errors
When auditors test controls, management could discover many job descriptions need updating. Improved documentation helps companies quickly onboard new employees and could be the fastest way to share knowledge when working remotely.
Reduced Systems Complexity
Merger and acquisition (M&A) activity rarely includes plans to absorb a company into the buyer’s larger operational structure. This can lead to redundant applications, databases, and operating systems that create unnecessary risk and confusion.
Following IT-controls testing, some of these systems could be consolidated—allowing separate business units to report financial information on a single financial application, while reducing systems redundancies and strengthening operations.
Manual processes could be one of the weakest links in a company’s operations, and working from home introduces distractions and other stresses that could disrupt effective operation of controls.
An IT controls assessment may reveal that your company needs to adopt an automated ERP resource, which consolidates manual processes into a single cloud-based system. An ERP system can also combine data from all company branches, while allowing management to track changes and address risk from any location at any time.
Ask your audit partner if they plan to include IT controls assessment as part of this year’s audit.
If your audit already includes an IT controls assessment, ask which control gaps last year’s procedures identified, and understand what steps your company took to remediate these.
Don’t forget to ask your audit partner to explain the pros and cons of assessing the design and operating effectiveness of ICFR.
We’re Here to Help
If you have any questions about incorporating IT controls into your audit process, please contact your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: