Figuring out and evaluating common IT controls

As we full our examination of the impacts of SAS 145 for tax and accounting professionals, we’ll construct on our earlier posts on danger evaluationdocumentation and evaluation, and balancing scope and complexity in auditing. On this final publish, we’ll take a look at dangers that may come up from the usage of IT in accounting and auditing.

Normal IT controls

Holding in keeping with developments in know-how and the widespread use of automation instruments and methods, SAS 145 acknowledges the usage of IT by each auditors and purchasers and expressly defines the dangers arising from the usage of IT.

No, this doesn’t imply that auditors must turn into IT consultants. It does imply they want to think about IT use by way of assertions. In addition they want to judge the complexity of a system, even off-the-shelf software program packages, and all that’s included.

SAS 145 gives enhanced and new definitions for the phrases “common IT controls” and “dangers arising from the usage of IT,respectively. Beneath the brand new normal, auditors are required to establish common IT controls that deal with the dangers arising from the usage of IT and, after they relate to sure recognized controls, as mentioned in a earlier publish, and to judge their design and decide their implementation.

What’s the definition of common IT controls?

SAS 145 defines “common IT controls” as: “Controls over the entity’s IT processes that help the continued correct operation of the IT surroundings, together with the continued efficient functioning of information-processing controls and the integrity of knowledge within the entity’s data system.”

Examples of common IT controls embrace:

  • Authentication
  • Privileged entry
  • Change administration insurance policies and procedures
  • Backup and restoration

Beneath SAS 145, “dangers arising from the usage of IT” is outlined as: “Susceptibility of information-processing controls to ineffective design or operation, or dangers to the integrity of knowledge within the entity’s data system, attributable to ineffective design or operation of controls within the entity’s IT processes.”

Considering by way of assertion, companies should still be questioning what IT controls to think about. The reply: these IT controls that influence the chance of fabric misstatement on the assertion degree.

What are the dangers of utilizing IT?

To help auditors, SAS 145 outlines a number of issues to assist decide whether or not IT purposes are topic to dangers arising from the usage of IT.

For instance, traits of upper danger IT purposes could embrace:

  • The quantity of knowledge or transactions is important.
  • Functions are interfaced.
  • The applying’s performance is complicated (e.g. it mechanically initiates transactions, and there are a number of complicated calculations underlying automated entries).
  • Administration depends on an utility system to course of or keep information, and administration depends upon the appliance system to carry out sure automated controls that the auditor has additionally recognized.

Traits of a decrease danger IT utility embrace:

  • The quantity of knowledge (transactions) will not be vital.
  • Functions stand-alone.
  • Every transaction is supported by unique onerous copy documentation.
  • The applying’s performance will not be complicated.


For all the benefits that know-how gives for companies, you will need to perceive the doable implications common IT controls can have. That is very true with regard to danger evaluation and the potential for materials misstatement.

Take motion now to make sure that your agency is absolutely ready for SAS 145. To be taught extra, view our webinar providing early steering on SAS No. 145.

That is the ultimate publish in a four-blog collection about SAS 145 and its influence on tax and accounting professionals. Try the primary three posts beneath:

Supply hyperlink

Related Articles


Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest Articles