a202925199b97cb3e48d5bdd1256019671e960eb.doc 15General IT ControlsGeneral IT controls assure that access to the computer system is limited to people who have a right to the information. Appropriate delegation of authority sets limits on what levels of risk are acceptable and these limits determine the discretion of the employees delegated to authorize the main types of business transactions. Authorization may be general or specific. An example of general limits set by policy is product price lists, inventory reorder points, and customer credit limits. Specific authorization may be made on a case-by-case basis such as authorization of reduction in the price of a dress with buttons missing in a retail-clothing store.Computer Facility ControlsComputer facilities may have several types of controls. General controls such as access controls or application controls such as passwords allow only authorized people admittance to the computer software. A very important general control is back-up and recovery procedures, as anyonewho has had a system go down without current records being adequately backed up will tell you. Physical controls such as locks on the doors to the computer room and locked cabinets for software and back-up tapes protect the tangible components of a computer system.IT RisksThe auditor should be aware that IT poses specific risks to an entity’s internal control including:Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. For instance, individuals may inappropriately override such automated processes,by changing the amounts being automatically passed to the general ledger or to the financial a202925199b97cb3e48d5bdd1256019671e960eb.doc
a202925199b97cb3e48d5bdd1256019671e960eb.doc 16reporting system. Furthermore, where IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems.Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database.The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. A frequent problem in auditsof small to medium sized businesses is that there is only one IT employee and he has unlimitedaccess to all computer systems hardware and software, all security systems and all back-ups. A response to this risk is to have someone periodically review the security and access logs to monitor the IT employee’s activity.