Identifying and Assessing Risks of Material Misstatement
Appendix B – Consideration of Manual and Automated Systems and Controls
B1. While obtaining an understanding of the company's information system related to financial reporting, the auditor should obtain an understanding of how the company uses information technology ("IT") and how IT affects the financial statements.1/ The auditor also should obtain an understanding of the extent of manual controls and automated controls used by the company, including the IT general controls that are important to the effective operation of the automated controls. That information should be taken into account in assessing the risks of material misstatement.2/
B2. Controls in a manual system might include procedures such as approvals and reviews of transactions, and reconciliations and follow-up of reconciling items.
B3. Alternatively, a company might use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format would replace paper documents. When IT is used to initiate, record, process, and report transactions, the IT systems and programs may include controls related to the relevant assertions of significant accounts and disclosures or may be critical to the effective functioning of manual controls that depend on IT.
B4. The auditor should obtain an understanding of specific risks to a company's internal control over financial reporting resulting from IT. Examples of such risks include:
- Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;
- Unauthorized access to data that might result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions (particular risks might arise when multiple users access a common database);
- The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;
- Unauthorized changes to data in master files;
- Unauthorized changes to systems or programs;
- Failure to make necessary changes to systems or programs;
- Inappropriate manual intervention; and
- Potential loss of data or inability to access data as required.
B5. In obtaining an understanding of the company's control activities, the auditor should obtain an understanding of how the company has responded to risks arising from IT.
B6. When a company uses manual elements in internal control systems and the auditor plans to rely on, and therefore test, those manual controls, the auditor should design procedures to test the consistency in the application of those manual controls.