Risk assessment and IT controls 2067

  • The PCAOB stated that no single IT control can lead to a material weakness in itself
    The revised PCAOB/SEC guidance encourages a top down, risk based assessment of controls for testing.
    Therefore would you conclude that no IT control could be deemed high risk?

  • Hi WL - The inference shared reminded me of some of one of my logic classes in college … (or using an example from the game of chess, if player A usually wins over B … then B wins over C … then why does player C beat A?) 😉 🙂
    What you’ve shared may be true, but I’m not very well versed on the upcoming changes yet (mainly due to the size of the documents). Hopefully, the revised SOX 404 will make our work to be compliant from the IT side a little easier.
    The 1,690 page PDF document for the revised PCAOB recommendations is a huge document to try to ascertain at this point. On page 467 of the huge 42MB PDF is the start of related questions/answers from earlier work back in FEB 2007 (e.g., regarding the top down approach and page 473 discusses materiality weaknesses in the new approach). Finally, starting on page 1626 is the start of the Appendix sections which have much of the definitions and new approach defined. We’ll definitely need some guidance and good working examples of how to properly adhere to the new SOX 404 approaches.
    PCAOB - Proposed SOX changes (subject to SEC approval)

  • I have not read the AS5 or the SEC guidelines but can you specify the section or page where it is mentioned?
    Also are you talking about ITGC or application related controls?
    Deficient IT control cannot be classified as MW but it can lead to an MW. ITGC has bearing on multiple Application related controls and if these controls are related to significant accounts then a deficiency in ITGC can sure lead to a MW. An example in case would be SOD related controls.
    Change Management related controls also have a direct bearing on the integrity of any application and related data. If these applications are related to significant accounts then i don’t think IT can deem these controls as low risk.
    I agree however to the fact that if good preventive and detective controls are embedded in the business process a lot of high risk IT controls can be downgraded to medium or low risk. But then IT need some definitive guidance from the business side for this and before that happen IT has to keep them as high risk. Problem is there is a lack of coordination between IT and Business side as none of them has a good understanding of the other side.
    That said one financial application in my company was classified as out of scope by external auditors during the integrated testing as there were good controls on the business side to compensate/detect/prevent any shortcomings in the operation of the application.

  • Can someone give me an overview of the control types below?
    Control Type (D,W,M,Q,Y,MTPD,IT,A)

  • Can someone give me an overview of the control types below?
    Control Type (D,W,M,Q,Y,MTPD,IT,A)
    I would guess at Daily, Weekly, Monthly, Quarterly, Yearly, Many Times Per Day, IT and Automated

  • Thank you so much. 😄

Log in to reply