4028.1 Introduction

Sep-2022

Risk based approach to IT

Adopting a risk‑based approach to IT, centered on the IT dependencies and the risks arising from the use of IT we’ve deemed relevant to the audit, helps us achieve quality and efficiency. The approach involves understanding, evaluation and risk assessment, planning audit response, gathering evidence and completion. The diagram below includes examples of risks we typically consider across the four IT domains:

Under the risk‑based approach, we develop one overall strategy for testing ITGCs, automated, and manual information processing controls, since there are a number of interdependencies. Factors to consider before we determine the nature, timing and extent of testing for ITGCs, include:

• The quality and effectiveness of the IT control environment and ELCs over IT

• Knowledge gained from past audits and any significant known or anticipated changes to people, processes, applications, technologies, operations or business conditions that could impact our audit

• Entity level controls executed by IT management in the normal course of business to monitor controls

• The risks associated with the automated information processing controls and the ITGCs. Each ITGC does not necessarily carry the same level of risk just because it is associated with an application related to an identified IT dependency. For example, change control procedures performed over an application with customized programs versus an application with no customization. The level of procedures would be higher for the application with customized programs as IT is making changes to the programs that affect the underlying accounts. These risks apply to the ITGCs upon which the automated information processing controls depend, along with the risk that the ITGCs will fail to support the ongoing effectiveness of the automated information processing controls. For example, if the program change control over the application was found to be deficient, we would assess the impact of the deficiency on our ability to rely on automated information processing control within the application.

• The administration and organizational structure of relevant data centers and controls. IT data centers are not typically aligned directly with business unit locations and have their own unique scoping considerations.

• Consideration of the existence of shared services or the use of service organizations. See OAG Audit 6040 for further guidance on how to rely on controls when a service organization is used.

• Use of a benchmarking strategy for automated information processing controls. See OAG Audit 6054 for a further understanding of benchmarking and for guidance on how to use a benchmarking strategy.

We evaluate the design and implementation of IT General Controls within the control activities component for all engagements, regardless of the audit approach. Evaluating the design and implementation of ITGCs informs our assessment of risks of material misstatement and determines the nature, timing and extent of further audit procedures, including our audit response to risks arising from the use of IT. Our understanding of the IT environment and the evaluation of design and implementation of ITGCs helps us determine whether it is likely that testing of those ITGCs or performing alternative procedures to address IT dependencies will result in an effective and efficient strategy based on our understanding of the design and implementation of the controls in control activities component. This strategy is illustrated below: