top of page
  • CCS

Understanding IT Risks and Internal Controls

Updated: Dec 31, 2022

Most entities today use information technology (IT) to manage, control, and report on at least some of their activities.

A central support team often manages IT operations that ensure the day-to-day users (staff) have appropriate access to the hardware, software, and applications required to perform their responsibilities.

In smaller entities, IT management may be the responsibility of just one, or even a part-time or outsourced, person.

Regardless of the entity’s size, there are several risk factors relating to IT management and applications that, if not mitigated, could result in a material misstatement in the financial statements.

There are two types of IT controls that need to work together to ensure complete and accurate information processing:

  • General IT controls

These controls operate across all applications and usually consist of a mixture of automated controls (embedded in computer programs) and manual controls (such as the IT budget and contracts with service providers); and

  • IT application controls

These automated controls relate specifically to applications (such as sales processing or payroll).

There is also a third kind of control, which has a manual and an IT element.

These controls can be called IT- dependent controls.

The control is performed manually, but its effectiveness relies on information produced by an IT application.

For example, the financial manager may review the monthly/quarterly financial statement (generated by the accounting system) and investigate variances.

The following outlines the scope of general IT controls.

Standards, Planning, Policies, etc. (The IT Control Environment)

  • The IT governance structure.

  • How IT risks are identified, mitigated, and managed.

  • The required information system, strategic plan (if any), and budget.

  • IT policies, procedures, and standards. The organisational structure and segregation of duties.

  • Contingency planning.

Security over Data, the IT Infrastructure, and Daily Operations

  • Acquisitions, installations, configurations, integration, and maintenance of the IT infrastructure.

  • Delivery of information services to users.

  • Management of third-party providers.

  • Use system software, security software, database-management systems, and utility programs.

  • Incident tracking, system logging, and monitoring functions.

Access to Programs and Application Data

  • Issuance/removal and security of user passwords and IDs.

  • Internet firewalls and remote-access controls.

  • Data encryption and cryptographic keys.

  • User accounts and access-privilege controls.

  • User profiles that permit or restrict access.

Program Development and Program Changes

  • Acquisition and implementation of new applications.

  • System development and quality-assurance methodology.

  • The maintenance of existing applications, including controls over program changes.

Monitoring of IT Operations

Policies, procedures, inspections, and exception reports ensure:

  • That information users are receiving accurate data for decision-making;

  • Ongoing compliance with general IT controls; and

  • IT serves the entity’s needs and is aligned with the business requirements.






  • 一般IT控制


  • IT应用控制








  • IT治理结构。

  • 如何识别、减轻和管理IT风险。

  • 所需的信息系统、战略计划(如果有的话)和预算。

  • IT政策、程序和标准。组织结构和职责分工。

  • 应急计划。


  • IT基础设施的采购、安装、配置、整合和维护。

  • 向用户提供信息服务。

  • 对第三方供应商的管理。

  • 使用系统软件、安全软件、数据库管理系统和实用程序。

  • 事件跟踪、系统记录和监控功能。


  • 用户密码和ID的发放/删除和安全。

  • 互联网防火墙和远程访问控制。

  • 数据加密和加密密钥。

  • 用户账户和访问权限控制。

  • 允许或限制访问的用户档案。


  • 获取和实施新的应用程序。

  • 系统开发和质量保证方法。

  • 现有应用程序的维护,包括对程序变化的控制。



  • 信息用户获得准确的数据用于决策。

  • 持续遵守一般的IT控制;以及

  • 信息技术服务于实体的需求,并与业务要求保持一致。

IT Application Controls | IT 应用控制

IT application controls relate to a particular software application used at the business process level.

Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.