This is not an easy task. Why, because deficiencies in IT General Controls (ITGC) are not directly linked to the risk of a material error in the financial statements.
Instead, ITGC provide assurance of the continued and proper operation of the automated functionality that management relies upon. That automated functionality, which both the SEC and IIA (in its guidance) refer to as
critical functionality, includes (a) automated controls, (b) the automated part of semi-automated or hybrid controls (such as the report used in a control), and (c) the security of information, where unauthorized changes might be made bypassing controls and result in a material misstatement.
In other words, ITGC failures have an
indirect effect on the integrity of the financial statements. They affect key controls in business processes (those that contain critical functionality), and only those key controls in business processes have a direct effect.
For more on how to identify the ITGC key controls to include in a SOX program scope
see this post.
When a deficiency is found in a key ITGC, it is necessary to identify the critical functionality that might be affected. That may be one or many automated and semi-automated controls. Then, judgment is required as to whether the deficiency, when considered together with other manual and automated controls that are working, represents at least a reasonable likelihood of a significant or material error.
Fortunately, the IIA has published a Practice Guide (which is strongly recommended guidance) on the assessment of ITGC deficiencies as part of its GAIT family of products.
GAIT for IT General Controls Deficiency Assessment is a free download for IIA members.
The assessment process is built on six principles:
- In order to assess ITGC deficiencies, it is necessary to understand the "reliance chain" between the financial statements and the ITGC key controls that have failed.
- In order for there to be a material weakness, two tests have to be met: (a) likelihood and (b) impact (the potential misstatement of the financial statements).
- Because an ITGC deficiency does not directly affect the financial statements, the assessment is similarly not direct. The assessment is in stages or steps, and the likelihood and impact tests are applied across the combination of the steps.
- All ITGC deficiencies that relate to the same ITGC control objective should be assessed as a group.
- All ITGC control objectives that are not achieved and relate to the same key automated controls, key reports, or other critical functionality should be assessed as a group.
- The principle of aggregation requires that control deficiencies of all types — including manual and automated control deficiencies relating to the same significant account or disclosure — be considered as a group.
The principles and the detailed assessment process, which has ten steps, are explained in the Practice Guide and I refer you to that document.
- Are you familiar with this Practice Guide? If not, why not?
- Do you find it useful?