Maintaining proper controls over information technology is a constant concern for businesses as they try to use technological advances to drive efficiency and growth.
Principle 11 in the newly updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidelines for assessing the effectiveness of controls over IT (see the sidebar, “COSO’s Principle 11”). As part of an organization’s overall assessment of internal control under the framework, Principle 11 can help CPAs manage the rapidly advancing technology their organizations are using.
Exhibit 1 shows the steps CPAs can follow to use Principle 11 to understand their organization’s IT system and its controls, and assess the effectiveness of those controls. This flowchart is general enough to be applied to any business process, whether large and complex or small and simple.
The first step is to gain an understanding of the technology involved, including:
- The IT infrastructure and components;
- The end-computing areas of laptops, hand-held devices, and spreadsheets;
- IT applications outsourced to the cloud and other off-site service providers; and
- How the technology function is managed throughout the entity.
The understanding of these four areas of the technology system is accomplished using procedures described in the AICPA Clarified Auditing Standard AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement:
- Inquiry of personnel;
- Analytical procedures;
- Observation of processes (i.e., walk-throughs); and
- Inspection of documents and documentation.
The last four steps (nodes) in the activity show the analysis of application controls and the assessment of information-processing risks they are addressing, and then an analysis of the general controls over technology that protect the application controls (picture an umbrella). Finally, the CPA will use a system with procedures to assign a value to the probability that the controls will (or will not) prevent or detect and correct the error.
The last step suggests using a control matrix (probably in a spreadsheet) and a maturity model to assign the control score on a 0 to 5 scale. As is true throughout the world of accounting and auditing, judgment must be used to determine if the overall assessment (score) represents a pass or fail of the IT control system.
Imagine, for example, that a CFO at a manufacturing company was using the COSO framework to ensure the effectiveness of its system of internal control. The CFO (or the controller or internal auditor) could use this exhibit to gain a thorough understanding of the company’s entire array of IT controls. Although some companies use the COSO framework only to oversee their internal controls over external financial reporting, the recently revised 2013 framework also can be used to assess controls in multiple operating areas and internal and nonfinancial reporting processes such as the systems for company email, payroll and HR processing, and various manufacturing processes.
Using this exhibit, the CFO and accounting and audit personnel could analyze all of the company’s IT application and general controls to assess their effectiveness. Does the system ensure that authorizations, verifications, reconciliations, and physical control activities are properly designed, documented, and operating effectively in the company’s operating and financial reporting processes? Is access to employees’ personal information in payroll data properly secured? These are questions the exhibit can help answer.
As technology continues to evolve and is integrated into more business processes, the COSO framework provides a helpful guide for effective controls. Applying the framework and Principle 11 correctly is an important step toward achieving a robust system of internal control.
Editor’s note: The AICPA is a member of COSO.
COSO’s Principle 11
Principle 11 of the updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidelines for assessing the effectiveness of information technology controls. Principle 11 states that the organization selects and develops general control activities over technology to support the achievement of objectives. Points of focus supporting the principle state that the organization:
- Determines dependency between the use of technology in business processes and technology general controls.
- Establishes relevant technology infrastructure control activities.
- Establishes relevant security management process control activities.
- Establishes relevant technology acquisition, development, and maintenance process control activities.
Source: COSO Framework.
As businesses adapt rapidly developing technology to their business processes, CPAs need to understand how to assess the effectiveness of IT controls. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) can help businesses maintain effective controls.
Principle 11 of the newly updated COSO framework contains specific guidance that organizations can use to make sure the appropriate IT controls are present and functioning.
CPAs can follow a step-by-step procedure to apply Principle 11 to IT controls.