ITGC are ineffective. Is it a material weakness? 1708

  • What constitute an ITGC to be ineffective? If so, is it deemed a material weakness for 10K disclosure?

  • this will depend on % materiality of your operations.

  • Determine Material Weaknesses
    Deficiencies in an entity’s internal control may range from inconsequential shortcomings to material weaknesses. A material weakness is a significant deficiency or an aggregation of significant deficiencies that precludes the entity’s internal control from providing reasonable assurance that material misstatements in the financial statements will be prevented or detected on a timely basis by employees in the normal course of performing their assigned functions.
    In determining which IT control deficiencies are significant, independent auditors will consider various factors such as the size of operations, complexity and diversity of activities, organizational structure, and the likelihood that the IT control deficiency could result in a misstatement of the organization’s financial records.
    Some overall consideration points*:

    • ITGC Failures may not directly result in misstatements
    • Misstatements may result from ineffective programmed controls or IT
      dependent manual controls
    • Need to be evaluated in relation to the underlying application controls
    • Classification will generally mirror the classification of the deficiency in the underlying application control
      Is it a significant deficiency?
    • Consider complementary controls
    • Related application control deficiencies and if so, significant deficiency? material weakness?
      If not, ITGC deficiency (or significant deficiency)?
    • Qualitative factors should be considered
    • What would a prudent official conclude?
      Qualitative Considerations:
    • Nature and significance (one control or many)
    • Pervasiveness of deficiency (one application or many)
    • Complexity of systems environment
    • Proximity of control to applications and data
    • Transactional or systematic in nature
    • Cause and frequency of known / detected exceptions
    • History of related misstatements / audit findings
    • Susceptibility to fraud
      Is the ITGC failure a material weakness?
    • Consider relationship to the application controlrelated deficiency in the application controls that results in a material weakness
    • Lack of attention to ITGC may indicate a poor IT control environment leading to a material weakness
    • ITGC significant deficiency that has not been remediated over time (PCAOB #2 - par. 140)
      *Source: Evaluating 404 IT Deficiencies: A Practical Approach That Works, by Ernst and Young
      So to answer your question, you should understand the ITGC weakness, consider other items (see above) to determine if disclosure reporrting is required. As an experienced auditor, good auditor judgment and a degree of professional skepticism will support your decision.
      I apologize if this is not a direct answer, but the question posed is simple on its surface, yet complicated considering all relevant aspects.

  • Milan, Thanx
    The question is indeed complicated. Because three aspects viz. change management, logical access and operations in IT, lead to a concept of ITGC for SOX relevance.
    I agree that Professional skepticism is the key here. The qualitative factors indeed would help us determine the effectiveness.
    Your feedback surely aids my due dilgence.

  • Might I suggest the following approach:

    1. How serious is the deficiency? Is it isolated in one are e.g. logical access or is the whole system a disaster.
    2. How pervasive is the impact on business processes? Is this affecting just one process or multiple. How many automated or IT-dependent controls are relying on this system?
      Based on the answers to these questions you can come up with various scenarios, e.g.
      a) the ITGC deficiencies are extensive and the system impacts a large number of business processes and control -you’re probably up the creek without a paddle and looking at a reportable
      b) ITGC deficiencies are extensive but impacts few processes and controls - write off the systems reliance and start looking for compensating manual controls. If you can find or design them then you should be able to get this out of the significant/material column
      c) ITGC deficiencies are isolated - look to focus in on the controls impacted and mitigate them as indicated above.
      Basically, your only alternative to relying on ITGC is to find manual controls in the business process. If they don’t exist then you probably have a reportable weakness - depending on materiality.

Log in to reply