ISA 315: Assessing the IT environment and GITCs

Although there are many changes to auditing requirements as a result of the revised version of ISA (UK) 315 Identifying and Assessing the Risks of Material Misstatement, assessing the IT environment and GITCs, in particular, will require a practical approach.

Here is an outline of the practicalities of assessing the IT environment and GITCs of a firm being audited under the revised version of ISA (UK) 315.

Understanding the IT environment

For most entities, IT is a central part of its environment, so understanding how entities utilise IT in its activities is vital in any audit.

As such, understanding which systems are used, whether these are ‘off-the-shelf’ or bespoke, the level of reliance placed on certain IT systems and processes, as well which systems and processes impact on the financial reporting process is vital.

In terms of the complexity of IT systems and processes, audit firms should set a policy in respect of what they consider to be complex, moderately complex or not complex with details on how to approach work in respect of each.

In addition to understanding the IT systems and processes, auditors should ensure they understand how the systems are operated, whether certain controls are automated or manual, how access is restricted, where controls be overridden and the reliability of the data extracted (for example, whether reports be manipulated).

GITCs

GITCs are implemented to address risks arising from the use of IT. They are typically grouped into three areas:

1. Processes to manage access – those that ensure a user accessing the system is appropriately authorised to do so, has been given an appropriate level of access which is regularly reviewed and revoked when the individual no longer needs such access for their role.
2. Processes to manage program or other changes to the IT environment – those that implement a change management process to ensure that changes to the design and implementation of the system are suitably tested, appropriately authorised and that data is correctly converted.
3. Processes to manage IT operations – those that control access to schedule and initiate jobs or programs that may affect financial reporting, job monitoring to check successful execution of jobs, backup and recovery and intrusion detection. IT operations may well be outsourced to third-party providers.

Common examples of GITCs include: 

• Access to programs is restricted to authorised personnel who each have their own credentials and whose access is limited to that which is required for their specific role. A list of users and their access levels is reviewed by management on a monthly basis. 
• Passwords must meet minimum standards with regard to complexity including being more than 12 characters long, including both upper and lowercase, including at least one number and at least one special character. 
• Changes to programs are tested and approved before being moved into a production environment. 
• The system will not permit the same person to set up and approve a payment. 

Appendix 6 to the revised ISA also offers a range of examples.

When should this work be undertaken? 

This may depend on the size and complexity of the client. Ideally, this work should be undertaken two months before the period end however, if there has been a change, work should be conducted both before and after the change is implemented.

In addition, it would be important to understand how the change has been managed, for example: 

• have management appraised the new systems in detail?
• have staff been training thoroughly?
• will all the key controls within the old system be contained in the new system?
• are there new key controls?