Have you ever been invited to a meeting where the IT auditors have identified an IT control failure and everyone is running around like the sky is falling. How is that one IT control failure can cause so much havoc?
Today’s businesses rely on IT systems for operations and accounting. Each account balance and business process has risks relevant to financial reporting. Manual and automated controls are designed and implemented to address those risks. Let’s break down “IT reliance” of these controls:
Manual controls: a person is often performing this control; however manual controls often rely on information in systems, Excel, and reports – all of which can be classified as Information Used in the Control (IUC); Therefore the manual controls often rely on systems for accurate data.
Automated controls: access controls, configurations, workflows, automated interfaces, etc. rely on systems to operate effectively.
Business processes rely on a IT General Controls for systems. We view IT General Controls (ITGCs) as pervasive controls that support the individual vertical business risks and processes. The audit standards require that IT General Controls (Access to Programs and Data, Program Change Control, Program Development/Implementation, and Computer Operations) are effective to support the controls that sit on top of them.
The above illustration shows how IT General Controls are the basis or platform on which any system controls and data rely. The inverse of this, is that when there is a failure in IT General Controls, those system controls and data that depend on the failed ITGCs are no longer effective and fail. It is easy to see how a large amount of effort is often needed to not rely on the ITGCs when controls don’t exist or fail.
This is why the sky seems to be falling sometimes with even one ITGC failure. If the ITGCs aren’t effective to address the pervasive risks then there can be a cascading effect. How do you avoid this? First – take a deep breath. There is a process to evaluate the ITGC failures. At first all risks may be considered and the far-reaching results. But ultimately there is a balancing act that requires experience to get right.
The answer is often found in redundant and compensating controls to ensure that one control failure does not result in a pervasive failure across an ITGC area. Occasionally those compensating ITGCs also fail and then it is necessary to find a way to address risks in a way that doesn’t rely on systems. We can help get that balance right to avoid the stress in the first place; and to evaluate and compensate for those failures if they occur.