IT and Finance: Unite!
September 11, 2006
The IIA's comments to the SEC several times brings up the issue of how to treat ITGC in relation to financial controls.
In paragraph 19-d:
So to my external auditors, and my friends in the IT department: Please don't ever start a sentence with the words "But from an IT perspective..." There is no IT perspective in 404. The objective is to prevent financial misstatement. To the extent that ITGC accomplishes that, they are needed, just like any other financial control. Beyond that, they don't matter.
In paragraph 19-d:
It may be possible to identify a combination of ... Increased or reducedIn paragraph 29:
reliance on key ITGC controls, depending on risk and the presence of other
controls.
In paragraph 34:In the absence of current guidance that enables an identification of specific risks, many organizations are performing full ITGC testing on all applications involved in financial processes. As we indicated in our response to the recent Roundtable, we believe that has led to excessive testing and resource costs among both registrants and their auditors.
Furthermore, as information technology supports the underlying business process, risk and control assessment should be focused first from the specific of that business process. Separate and distinct information technology standards may confuse that point.The treatment of ITC as a realm apart from financial controls is a wasteful distraction from 404 objectives, and a misapplied byproduct of financial statement audit theory. For 404, any set of controls that mitigate the financial statement risks - i.e. that safeguard the assertions - is sufficient. The classifying of certain controls as IT and others as financial and the resultant differential treatment they receive is counterproductive and highly inefficient. While I recognize that certain ITGC cannot be compensated for by financial controls (such as program change controls), there is no reason to treat these critical IT controls any differently than critical financial controls. The wall between ITC and FC should fall, and both types of controls should be directed toward the objective of mitigating risks to the financial assertions. If there is any reason to classify ITGC separately from FC, it is in the same sense that we classify preventive controls separately from detective controls, or automated controls form manual controls. A good combination of both is desired - and perhaps even needed - but the testing guidelines and identification of key controls should be one exercise that includes both categories. Just as preventive and detective controls are consolidated to form a single set of controls that are designated by management to mitigate the financial risks, so too should ITGC and FC be integrated as well.
So to my external auditors, and my friends in the IT department: Please don't ever start a sentence with the words "But from an IT perspective..." There is no IT perspective in 404. The objective is to prevent financial misstatement. To the extent that ITGC accomplishes that, they are needed, just like any other financial control. Beyond that, they don't matter.
1 Comments:
commented by herbie, 2:28 PM
So it's black belt 404, so you have reached Dante’s 404 level of the inferno (divine comedy), oops you went a little too far.
Great sites, however, I don’t agree with your conclusion that for 404 purposes IT and FC should be considered as one. One control represents the mechanical method chosen to produce the financials the other control is the presentation of the financial information. You could in theory have a dysfunctional IT system and still manually work around the IT process to produce the financials in this case the company would pass 404. However, when they are viewed separately, the company would fail do to the lack of adequate IT controls.