Remediated IT Control 850



  • I work in India for a US based organization. In our company we had a situation where a control deficiency in 2004 was remediated by putting in place an automated application control (IT Control). The remediation (IT control) was tested (both by management and the external auditors) in 2004 and was found to be working effectively.
    My question is whether in 2005 this automated control needs to be tested again by the management even though we have an effective IT change management process in place? (The IT change management process will be tested in 2005).
    My thoughts on this are that if we have a robust IT change management process in place which would be tested in 2005 we do not need to additionally test the remediated IT control.
    Any views / thoughts on this would be appreciated. 🙂
    Thanks



  • Automated controls, as with manual controls, need to be evaluated annually. Normally this would be by ‘test of one’ so should be fairly straightforward.



  • I agree with at least annual testing of the control. One should ask, would operations be more efficient if the control is changed?



  • PCAOB in the Staff Question and Answers (Auditing Standard No 2 Internal Control, Question No 45) has expressed a view that:
    Automated application controls continue to perform a given control in exactly the same manner until the program is changed. Entirely automated application controls are not generally subject to breakdown due to human failure and this feature allows the auditor to benchmark or baseline these controls.
    If General controls over program changes, access to programs and computer operations are effective and continue to be tested and the automated application control has not changed since it was last tested, the auditor may conclude that the automated application control continues to be effective without repeating prior year’s specific tests.
    Using the same logic can the management also not conclude that the automated application control continues to be effective without repeating prior year’s specific tests?



  • Using the same logic can the management also not conclude that the automated application control continues to be effective without repeating prior year’s specific tests?
    No. Data changes. Chance is a factor. Sometimes people make changes and don’t tell you. Life happens. Never assume the obvious. Execute the test and then you can say it was tested. Don’t execute the test, sometime a bad thing happens, then you must answer the question: Did you test the control?


Log in to reply