Relying on a system control 1841



  • Do effective IT controls negate the need for IT dependent manual controls? As example, we have a control that reads, ‘System automatically calculates depreciation on subledger assets’. If the system can be tested to confirm it is configured properly and will therefore calculate depreciation correctly, is there a need for a detective control that would entail the review of the system produced information?
    Thanks.



  • In your example, what if the data was entered incorrectly or there was a change in the asset status? You would want to review automated data from a practical point of view. Would that be considered a manual control?



  • In my company, we would test two areas. First, once a year, we would test the automated, ‘Depreciation is calculated by the accounting software control.’ Then we would test that information was input into the system correctly. Maybe as a monthly control, we would say, ‘Review a listing of all new depreciable assets and verify that information in the system agrees to source documentation.’
    These two controls would satisfy associated risks through both preventive and detective controls.
    Hope this helped.
    J



  • Do effective IT controls negate the need for IT dependent manual controls? %0AHi - The word ‘negate’ threw up a stop sign for me 😉 … Maybe one way of looking at this is ‘Good IT controls will reduce the need for IT dependent manual controls’. Certainly, computer based calculations are always going to be 100% accurate, as long as the production programs certified in testing don’t change or the data is entered properly. Or as I often say, ‘computer do what you tell them to, and not what you always want them to do’ :D%0AWith that said, it’s always a best audit practice to sample, test, and recertify computer related calculations. Whether SOX-related or not, it’s always good to ensure an automated calculation is working as expected by briefly recalculating manually (e.g., in case of program changes, or perhaps some ‘once in a blue moon’ condition might have bypassed QA testing). %0AAs a bottom line, I think you can rely on computer based calculations to be accurate and if widespread issues occur they are most likely caught quickly. Still, as programs are written and data is entered by imperfect humans – it’s prudent to re-check things periodically. One final old saying, ‘to err is human and to really foul up things takes a computer’.



  • IT controls do not NEGATE any possibility. Application controls are purely a matter of configuration and setting, which is a concious choice of management.
    In your case, if the application is configured to compute depreciation, it would be useful to see that a full fledged UAT covering all the related functionalities of the application was done.
    Again, each time an asset is created, the useful life, value etc are to be keyed in, depreciation is merely a computation based on input.
    Application controls can support the control over processing and cannot support input controls in totality.
    Control framework needs to be necessarily a mix of manual and automated controls and further a mix of preventive and detective controls.
    If everything is automated then the world would be MATRIX and not the world that is now
    :lol: 😎


Log in to reply