Skip To Main Content
Hand reaching towards a touch screen with technology icons.

General information technology controls: IT risks auditors must be aware of

Organizations increasingly rely on IT for internal operations and when engaging with external service providers. Keep reading to learn about auditors’ responsibilities related to their client’s IT environment and the related general information technology controls.

The world is increasingly digitized and connected. Organizational reliance on information technology (IT) applications, infrastructure, processes, and personnel is increasing for organizations of all sizes and complexity. With many auditors beginning to apply the requirements of revised Canadian Auditing Standard (CAS) 315, it is timely to share a few reminders of the heightened emphasis on general information technology controls (GITCs) in the revised standard and your related responsibilities as an auditor.

This blog will:

  • revisit auditor responsibilities related to IT and GITCs in CAS 315
  • share available guidance and resources

Revised CAS 315, Identifying and Assessing the Risks of Material Misstatement, includes enhanced material related to the auditor’s consideration of IT and the impact of this on the audit. The revised standard has also clarified the auditor’s responsibilities related to GITCs. The main changes related to IT are included in the auditor’s required understanding of the information system and communication and control activities components.

We want your opinion! Complete our short survey to help us understand how we can improve our blog content to better serve you.START SURVEY

The information system and communication

As the auditor, you are required to understand the entity’s information system relevant to the preparation of the financial statements, including the IT environment relevant to how transactions and the processing of information flows through the entity’s information system and the entity’s financial reporting process. Understanding the relevance of the client’s information system to the significant classes of transaction, account balances, and disclosures in the financial statements is important because your client’s use of IT applications or other aspects in the IT environment gives rise to risks arising from the use of IT. An understanding of the entity's business model and how they have integrated and used IT may also provide useful context to the nature and extent of IT dependency in the information system.

Your understanding of your client’s use of IT may focus on identifying and understanding the nature and number of specific IT applications as well as other aspects of the IT environment that are relevant to the flows of transactions and processing of information in the information system.

Revised CAS 315: Risk evaluation and control activities

CAS 315 also requires you to identify the IT applications and other aspects of the entity’s IT environment that are subject to the risks arising from the use of IT for the identified controls in the control activities component. These identified controls are focused on information processing controls that directly address the integrity of information.

As a next step, you can then identify the related risks arising from the use of IT and the entity’s GITCs that address such risks. For each of these identified GITCs, your evaluation of whether the control is effectively designed to support the operation of other controls will inform your planned procedures to determine whether the control has been implemented.

Impact of deficiencies in GITCs

When control deficiencies in GITCs are identified, consider the impact that those control deficiencies may have on the design of further audit procedures in accordance with CAS 330, The Auditor’s Responses to Assessed Risks.

Testing the operating effectiveness of GITCs

Obtaining an understanding of the IT environment relevant to the entity’s information system is an integral part of identifying and assessing risks of material misstatement and of designing and implementing appropriate responses to those risks, including when applicable, performing tests of controls. Where the auditor plans to rely on the operating effectiveness of controls as part of the response to address the assessed risk of material misstatement and those controls are dependent upon GITCs, you must also test the operating effectiveness of the related GITCs. The greater the client’s use of IT dependent applications, the more likely it is that substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. In these cases, the auditor will need to test the operating effectiveness of the identified GITCs.

Impact to the audit engagement

When conducting your engagement planning – with the engagement team during the planning meeting(s) and in conversation with client personnel – questions you may wish to raise could include:

  • What are the risks arising from the use of IT?
  • Considering the identified risks arising from IT, is a substantive audit approach appropriate?
  • What are the relevant GITCs and does the operating effectiveness of these GITCs need to be tested?
  • What is the nature and extent of testing needed to assess the operating effectiveness of identified GITCs and information processing controls?
  • What could be the impact of inappropriately designed and implemented GITCs or GITCs that are not operating effectively?

The extent of your understanding of the IT processes, including the extent to which the entity has GITCs in place, will vary with the nature and circumstances of the entity and its IT environment, as well as the nature and extent of the controls you identified in the control activities component. When contemplating the IT environment, identified information processing controls, and GITCs, you may need to reflect on whether the audit team has the necessary expertise or if additional subject matter experts might be needed. As the entity’s IT environment and IT systems become more complex, the work performed will likely involve team members with more specialized IT skills.

Current resources

  1. Revised CAS 315 includes a lot of application material, including six appendices to help auditors. When thinking about risks arising from the use of IT, auditors may find appendices 5 and 6 to be especially helpful.
    • Appendix 5 of CAS 315 provides examples of characteristics of IT environments, which may be helpful to auditors as they assess the complexity of the environment.
    • Appendix 6 of CAS 315 contains a table of examples of GITCs and risks arising from the use of IT, including for different IT applications based on their nature. This appendix may be helpful when thinking about those clients who have simpler IT systems (see also question O4 of the CAS 315 implementation tool about the use of “off the shelf” accounting software packages, linked below).
  2. The Implementation tool for auditors: Revised CAS 315, risks of material misstatement explains why certain requirements in CAS 315 exist and how they drive an effective audit. Appendix B of this tool includes a diagram on Understanding the Information System and Communication Component of the Entity’s System of Internal Control, which may be helpful in team planning discussions and conversations with client personnel.
  3. Our CAS 315 Practitioner’s Pulse Webinar, recorded earlier this year, offers practical tips for implementation from a current practitioner, including tips for auditors related to GITCs.
  4. CPA Canada also previously published Implementation tool for auditors: Information Technology: Why should auditors care? and Implementation tool for auditors: Designing and performing tests of relevant controls. Both publications address implications of IT for the audit when applying certain requirements of CAS 330, The Auditor’s Responses to Assessed Risks.

Future resources

CPA Canada is exploring what further resources are needed to support Canadian practitioners. We’re listening to Canadian practitioner views and also taking stock of international projects such as the Australian Auditing and Assurance Standards Board’s recently published bulletin about the auditor’s responsibilities related to GITCs. Keep an eye out for future publications on our CAS 315 resource page.

Haven't signed up yet? Subscribe now to join our growing audience of over 10,000 professionals who receive updates on the latest audit quality blogs as well as resources and professional development opportunities.SIGN ME UP

Keep the conversation going

How is the use of technology, either by your clients or by your engagement teams, impacting your audits? What other questions do you have about the IT environment, GITCs, and CAS 315? We are interested in hearing your feedback on the guidance we publish, your suggestions for new guidance, and what you are seeing in practice. Email us directly to share your comments and views.

Disclaimer

The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.