IT Controls to Consider
The following IT controls should be considered for compliance with PCAOB Auditing Standard No. 5:
- Access to Programs and Data
Controls provide reasonable assurance that all financially significant systems (that is networks, applications, and databases) are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data.
Risks of Non-compliance – Informal security administration and monitoring activities might result in unauthorized and/or inappropriate access to key financial systems, which might negatively impact the existence, accuracy and completeness of financial statements.
- Application Software Changes
Controls provide reasonable assurance that all systems and system changes are appropriately requested, approved, tested, and validated by authorized personnel before the implementation to the production environment.
Risks of Non-compliance – Informal change management activities might result in unauthorized changes and/or improper roll-out of new source code to key financial systems. This can negatively impact the existence, accuracy and completeness of financial statements.
- Computer Operations
Controls provide reasonable assurance that authorized programs are executed as planned and deviations from scheduled processing are identified and investigated.
Controls provide reasonable assurance that data recorded, processed, and reported remain complete, accurate and valid throughout the storage process.
Controls provide reasonable assurance that problems and issues over the processing of business/IT transactions are addressed in a timely manner.
Controls provide reasonable assurance that third party services are appropriately retained and monitored to ensure that activities are executed in accordance with Company standards.
- Risks of Non-Compliance
Unauthorized program execution might result in inaccurate or untimely processing of key financial data.
Informal and/or ineffective data management activities might result in loss of key financial data that can negatively impact the existence, accuracy and completeness of financial statements.
Informal and/or ineffective problem management activities might result in unresolved system issues that might negatively impact the existence, accuracy and completeness of financial data.
Informal third party services management might result in vendor activities that are inconsistent with company standards. This might lead to a negative impact on the accuracy and completeness of financial statements.
- Program Development
Controls provide reasonable assurance that systems are developed and/or purchased in a manner that supports the accuracy and completeness of financial statements.
Risks of Non-compliance – Informal system development activities might result in improper rollout of key financial systems.