top of page
  • CCS

Understanding IT Risks and Internal Controls

Updated: Dec 31, 2022


Most entities today use information technology (IT) to manage, control, and report on at least some of their activities.


A central support team often manages IT operations that ensure the day-to-day users (staff) have appropriate access to the hardware, software, and applications required to perform their responsibilities.


In smaller entities, IT management may be the responsibility of just one, or even a part-time or outsourced, person.


Regardless of the entity’s size, there are several risk factors relating to IT management and applications that, if not mitigated, could result in a material misstatement in the financial statements.


There are two types of IT controls that need to work together to ensure complete and accurate information processing:

  • General IT controls

These controls operate across all applications and usually consist of a mixture of automated controls (embedded in computer programs) and manual controls (such as the IT budget and contracts with service providers); and

  • IT application controls

These automated controls relate specifically to applications (such as sales processing or payroll).

There is also a third kind of control, which has a manual and an IT element.


These controls can be called IT- dependent controls.


The control is performed manually, but its effectiveness relies on information produced by an IT application.


For example, the financial manager may review the monthly/quarterly financial statement (generated by the accounting system) and investigate variances.


The following outlines the scope of general IT controls.


Standards, Planning, Policies, etc. (The IT Control Environment)

  • The IT governance structure.

  • How IT risks are identified, mitigated, and managed.

  • The required information system, strategic plan (if any), and budget.

  • IT policies, procedures, and standards. The organisational structure and segregation of duties.

  • Contingency planning.


Security over Data, the IT Infrastructure, and Daily Operations

  • Acquisitions, installations, configurations, integration, and maintenance of the IT infrastructure.

  • Delivery of information services to users.

  • Management of third-party providers.

  • Use system software, security software, database-management systems, and utility programs.

  • Incident tracking, system logging, and monitoring functions.

Access to Programs and Application Data

  • Issuance/removal and security of user passwords and IDs.

  • Internet firewalls and remote-access controls.

  • Data encryption and cryptographic keys.

  • User accounts and access-privilege controls.

  • User profiles that permit or restrict access.


Program Development and Program Changes

  • Acquisition and implementation of new applications.

  • System development and quality-assurance methodology.

  • The maintenance of existing applications, including controls over program changes.


Monitoring of IT Operations

Policies, procedures, inspections, and exception reports ensure:

  • That information users are receiving accurate data for decision-making;

  • Ongoing compliance with general IT controls; and

  • IT serves the entity’s needs and is aligned with the business requirements.

今天,大多数实体使用信息技术(IT)来管理、控制和报告他们的一些活动。


一个中央支持团队通常管理IT业务,确保日常用户(员工)有适当的机会获得履行其职责所需的硬件、软件和应用程序。


在较小的实体中,IT管理可能只是一个人的责任,甚至是一个兼职或外包的人。


无论实体的规模如何,有几个与IT管理和应用有关的风险因素,如果不加以缓解,可能会导致财务报表的重大误报。


有两种类型的IT控制需要协同工作,以确保完整和准确的信息处理。

  • 一般IT控制

这些控制在所有的应用程序中运作,通常由自动控制(嵌入计算机程序中)和手动控制(如IT预算和与服务供应商的合同)的混合物组成;以及


  • IT应用控制

这些自动控制与应用程序(如销售处理或工资单)具体相关。

还有第三种控制,它有人工和IT元素。


这些控制可以被称为IT-依赖性控制。


这种控制是手工进行的,但其有效性依赖于IT应用所产生的信息。


例如,财务经理可以审查每月/每季度的财务报表(由会计系统生成)并调查差异。


下面概述了一般IT控制的范围:-


标准、规划、政策等(IT控制环境)

  • IT治理结构。

  • 如何识别、减轻和管理IT风险。

  • 所需的信息系统、战略计划(如果有的话)和预算。

  • IT政策、程序和标准。组织结构和职责分工。

  • 应急计划。

数据、IT基础设施和日常运作的安全性

  • IT基础设施的采购、安装、配置、整合和维护。

  • 向用户提供信息服务。

  • 对第三方供应商的管理。

  • 使用系统软件、安全软件、数据库管理系统和实用程序。

  • 事件跟踪、系统记录和监控功能。


访问程序和应用数据

  • 用户密码和ID的发放/删除和安全。

  • 互联网防火墙和远程访问控制。

  • 数据加密和加密密钥。

  • 用户账户和访问权限控制。

  • 允许或限制访问的用户档案。


程序开发和程序变更

  • 获取和实施新的应用程序。

  • 系统开发和质量保证方法。

  • 现有应用程序的维护,包括对程序变化的控制。


信息技术操作的监控

政策、程序、检查和例外报告确保:

  • 信息用户获得准确的数据用于决策。

  • 持续遵守一般的IT控制;以及

  • 信息技术服务于实体的需求,并与业务要求保持一致。

IT Application Controls | IT 应用控制

IT application controls relate to a particular software application used at the business process level.


Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.