An entity’s system of internal control is likely to contain manual and automated elements, the characteristics of which are relevant to the auditor’s risk assessment and further audit procedures based thereon. Conducting an audit IT risk assessment is one of the most critical components of the audit risk management process. Identifying the magnitude of potential losses and the likelihood that they will occur are challenging tasks for any organization, but must be performed thoroughly. Audit risk team of professionals has extensive experience conducting IT audit risk assessments.
Potential Benefits of Information Technology (IT): Information Technology provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to:
- Consistently apply predefined business rules and perform complex calculations in processing large volume of transactions or data;
- Enhance the timeliness, availability, and accuracy of information;
- Facilitate the additional analysis of information;
- Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures;
- Reduce the risk that controls will be circumvented; and
- Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
Potential Risks of Information Technology (IT): Information Technology also poses specific risk to an entity’s internal control, including the following:
- Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
- Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database.
- The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.Unauthorized changes to data in master files.
- Unauthorized changes to systems or programs.
- Failure to make necessary changes to systems or programs.
- Inappropriate manual intervention.
- Potential loss of data or inability to access data as required.