Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 240

IT general controls are entity-wide controls that apply to many if not all application systems and help ensure their continued proper operation. For example, the effectiveness of an entity’s controls relating to the access of its database will determine whether it will be successful in maintaining the integrity of those data, which may be used in a number of different applications.

If there are inadequate general controls, controls at the application level may not function properly, and the information produced by the system may be largely unreliable. For that reason, IT general controls are typically included within the evaluation of internal control effectiveness.

But which IT general controls are used?

To answer this question, it is helpful to think of IT general controls as operating within three different domains, or stacks:

1 Database

2 Operating system

3 Network

There are three control objectives within each of these domains:

1 Systems are appropriately tested and validated prior to being placed into production.

2 Data are protected from unauthorized change.

3 Any problems or incidents in operations are properly responded to, recorded, investigated, and resolved.

To determine which IT general controls should be used for the evaluation, apply the risk- based, top-down approach. IT general controls will vary in how directly they affect the financial reporting process and therefore in the risk that their failure could result in a material misstatement of the financial statements.