4028.2 Is testing ITGCs likely to be efficient and effective?
Sep-2022

Is testing of ITGCs likely to be efficient and effective?

OAG Guidance

ITGC considerations

Why would we test ITGCs?

We may need to understand and test ITGCs in order to address IT dependencies such as:

  • Automated controls
  • Reports generated by an IT application
  • Calculations performed by an IT application
  • Security (restricted access and segregation of duties)
  • Interfaces between IT applications.

Our approach to obtain sufficient evidence regarding the reliability of IT dependencies is based upon our scoping and risk assessment. Based on the controls in the control activities component, we determine the IT dependencies that are relevant to our audit and risks arising from the use of IT related to the IT dependencies (see OAG Audit 5035.3 for additional guidance). Once the IT risks have been identified, we need to identify the entity's ITGCs that address those risks (see OAG Audit 5035.4 for additional guidance). If we determine those ITGCs are designed effectively and implemented as designed, we decide whether to test the operating effectiveness of those ITCGs for the purposes of the audit.

While ITGCs do not directly prevent or detect material misstatements, they indirectly support the reliability of information processing controls and help determine that IT dependencies continue to operate as designed. Effective ITGCs do not automatically result in reliable information processing controls; however, when ITGCs are effective, we do not have to test the controls as frequently as we do when they are ineffective. Often the most effective and efficient manner to approach a highly automated environment with many IT dependencies relevant to the audit is to test ITGCs.

In some cases, instead of testing ITGCs it may be more efficient to test information processing controls using alternative techniques throughout the audit period. We test information processing controls we intend to rely on in circumstances where we do not have ITGC reliance and in circumstances where we do have ITGC reliance; however, the nature of the testing in these two scenarios may vary. With evidence that ITGCs are effective, a benchmarking strategy to IT dependencies may be considered. We use professional judgment to determine the most effective and efficient approach.

Develop IT dependencies testing approach

For each relevant IT dependency determine whether the IT dependency testing will be supported by ITGC reliance or if alternative procedures will be performed. This decision is judgmental and dependent upon the:

  • Number of relevant IT dependencies for an application—the more relevant IT dependencies associated with an application, the greater the likelihood that testing ITGCs will be more efficient;

  • Type of application (offtheshelf, noncomplex commercial software or complex)—off‑the‑shelf packages which are considered non‑complex (see OAG Audit 6054) are often more efficient to test than more complex applications.

For applications where it is concluded that ITGC testing is to be performed the ITGC testing approach needs to be developed and the ITGC evidence obtained needs to be assessed to determine whether further audit procedures are needed over the IT dependencies (see OAG Audit 4028).

Where ITGCs are not tested, alternative procedures over the IT dependencies are developed (see OAG Audit 4028.4).