Most entities today use information technology (IT) to manage, control, and report on at least some of their activities.
A central support team often manages IT operations that ensure the day-to-day users (staff) have appropriate access to the hardware, software, and applications required to perform their responsibilities.
In smaller entities, IT management may be the responsibility of just one, or even a part-time or outsourced, person.
Regardless of the entity’s size, there are several risk factors relating to IT management and applications that, if not mitigated, could result in a material misstatement in the financial statements.
There are two types of IT controls that need to work together to ensure complete and accurate information processing:
General IT controls
These controls operate across all applications and usually consist of a mixture of automated controls (embedded in computer programs) and manual controls (such as the IT budget and contracts with service providers); and
IT application controls
These automated controls relate specifically to applications (such as sales processing or payroll).
There is also a third kind of control, which has a manual and an IT element.
These controls can be called IT- dependent controls.
The control is performed manually, but its effectiveness relies on information produced by an IT application.
For example, the financial manager may review the monthly/quarterly financial statement (generated by the accounting system) and investigate variances.
The following outlines the scope of general IT controls.
Standards, Planning, Policies, etc. (The IT Control Environment)
The IT governance structure.
How IT risks are identified, mitigated, and managed.
The required information system, strategic plan (if any), and budget.
IT policies, procedures, and standards. The organisational structure and segregation of duties.
Contingency planning.
Security over Data, the IT Infrastructure, and Daily Operations
Acquisitions, installations, configurations, integration, and maintenance of the IT infrastructure.
Delivery of information services to users.
Management of third-party providers.
Use system software, security software, database-management systems, and utility programs.
Incident tracking, system logging, and monitoring functions.
Access to Programs and Application Data
Issuance/removal and security of user passwords and IDs.
Internet firewalls and remote-access controls.
Data encryption and cryptographic keys.
User accounts and access-privilege controls.
User profiles that permit or restrict access.
Program Development and Program Changes
Acquisition and implementation of new applications.
System development and quality-assurance methodology.
The maintenance of existing applications, including controls over program changes.
Monitoring of IT Operations
Policies, procedures, inspections, and exception reports ensure:
That information users are receiving accurate data for decision-making;
Ongoing compliance with general IT controls; and
IT serves the entity’s needs and is aligned with the business requirements.
今天,大多数实体使用信息技术(IT)来管理、控制和报告他们的一些活动。
一个中央支持团队通常管理IT业务,确保日常用户(员工)有适当的机会获得履行其职责所需的硬件、软件和应用程序。
在较小的实体中,IT管理可能只是一个人的责任,甚至是一个兼职或外包的人。
无论实体的规模如何,有几个与IT管理和应用有关的风险因素,如果不加以缓解,可能会导致财务报表的重大误报。
有两种类型的IT控制需要协同工作,以确保完整和准确的信息处理。
一般IT控制
这些控制在所有的应用程序中运作,通常由自动控制(嵌入计算机程序中)和手动控制(如IT预算和与服务供应商的合同)的混合物组成;以及
IT应用控制
这些自动控制与应用程序(如销售处理或工资单)具体相关。
还有第三种控制,它有人工和IT元素。
这些控制可以被称为IT-依赖性控制。
这种控制是手工进行的,但其有效性依赖于IT应用所产生的信息。
例如,财务经理可以审查每月/每季度的财务报表(由会计系统生成)并调查差异。
下面概述了一般IT控制的范围:-
标准、规划、政策等(IT控制环境)
IT治理结构。
如何识别、减轻和管理IT风险。
所需的信息系统、战略计划(如果有的话)和预算。
IT政策、程序和标准。组织结构和职责分工。
应急计划。
数据、IT基础设施和日常运作的安全性
IT基础设施的采购、安装、配置、整合和维护。
向用户提供信息服务。
对第三方供应商的管理。
使用系统软件、安全软件、数据库管理系统和实用程序。
事件跟踪、系统记录和监控功能。
访问程序和应用数据
用户密码和ID的发放/删除和安全。
互联网防火墙和远程访问控制。
数据加密和加密密钥。
用户账户和访问权限控制。
允许或限制访问的用户档案。
程序开发和程序变更
获取和实施新的应用程序。
系统开发和质量保证方法。
现有应用程序的维护,包括对程序变化的控制。
信息技术操作的监控
政策、程序、检查和例外报告确保:
信息用户获得准确的数据用于决策。
持续遵守一般的IT控制;以及
信息技术服务于实体的需求,并与业务要求保持一致。
IT Application Controls | IT 应用控制
IT application controls relate to a particular software application used at the business process level.
Application controls can be preventive or detective in nature and are designed to ensure the integrity of the accounting records.
Typical application controls are procedures used to initiate, record, process, and report transactions or other financial data.
These controls help ensure that transactions occur, are authorised, and are completely and accurately recorded and processed.
Examples include edit checks of input data with correction at the point of data entry and numerical sequence checks with manual follow-up of exception reports.
IT 应用控制与业务流程层面使用的特定软件应用有关。
应用控制可以是预防性的,也可以是检测性的,目的是确保会计记录的完整性。
典型的应用控制是用于启动、记录、处理和报告交易或其他财务数据的程序。
这些控制有助于确保交易的发生、授权、以及完整和准确的记录和处理。
这方面的例子包括对输入数据进行编辑检查,并在数据输入点进行更正,以及对数字顺序进行检查,并对异常报告进行人工跟踪。
Our website's articles, templates, and material are solely for you to look over. Although we make every effort to keep the information up to date and accurate, we make no representations or warranties of any kind, either express or implied, regarding the website or the information, articles, templates, or related graphics that are contained on the website in terms of its completeness, accuracy, reliability, suitability, or availability. Therefore, any reliance on such information is strictly at your own risk.Keep in touch with us so that you can receive timely updates |
要获得即时更新,请与我们保持联系
1. Website ✍️ https://www.ccs-co.com/ 2. Telegram ✍️ http://bit.ly/YourAuditor 3. Facebook ✍
4. Blog ✍ https://lnkd.in/e-Pu8_G 5. Google ✍ https://lnkd.in/ehZE6mxy
6. LinkedIn ✍ https://www.linkedin.com/company/74734209/admin/