Scope of applications vs Risk Approach 445



  • Hi,
    I would like to ask you something.
    Most companies work with the following logic regarding to General Computer Controls.

    1. Define Materiality per financial statement line item
    2. Define Processes that lead to line item
      My question is, if you do this as described above you could miss out some risks in the information flow that lead to financial statement line items. Beacuse interfacing with other systems could be out scope, front office applications (key controls are identified in other systems) could be out of scope or any other module or application that the user organisations does not have the knowledge of that are part of the total data flow.
      Should you have insight in the total data flow?


  • This post is deleted!


  • This post is deleted!


  • The short answer is yes.
    However, significant data transfers between systems SHOULD be incorporated within the processes and controsl identified to address any relevant risks.
    Having an overview of the total data flow may result in questions over whether all the relevant risks have been addressed within the process documents.



  • Yep, I agree with Denis.
    That’s exactly the reason why we did the documentation of the business process together with the IT People. You’ll experience some dumb faces at the business line side, when IT comes up with the controls they practise within the process business actually doesn’t know about.


Log in to reply