Welcome

IT controls and internal audit - IT general and application ...

ResourcesIT controls and internal audit - IT general and application ...

Learning Outcomes

After reading this article, you will be able to explain the difference between IT general controls and IT application controls, identify examples of each, and describe their importance within the internal audit and external audit context. You will be able to evaluate their role in the reliability of financial information, recognize typical deficiencies, and recommend effective controls or audit procedures relevant to ACCA exam scenarios.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand the impact of IT on internal control systems and the audit process. This article addresses:

  • The distinction between IT general controls and IT application controls.
  • Examples and purposes of both categories of IT controls.
  • The effect of IT controls on the reliability of financial records.
  • The role of internal audit in reviewing and testing IT controls.
  • Audit procedures relevant to IT environments.
  • Evaluation and communication of deficiencies in IT controls.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What is the main difference between IT general controls and IT application controls? Give one example of each.
  2. Why are IT general controls essential for the reliability of financial reporting?
  3. A company has weak controls over user access to its accounting system. Identify one risk and recommend an appropriate control.
  4. List two typical audit procedures an internal auditor could perform to test the effectiveness of IT general controls.

Introduction

Modern organizations depend on computer systems for processing and recording financial information. Ensuring the integrity, security, and accuracy of these systems requires strong IT controls. For ACCA Audit and Assurance (AA), you must be able to distinguish IT general controls (ITGCs) from IT application controls, understand their roles, and assess their effectiveness in preventing or detecting errors and fraud. Internal audit functions also play a key role in monitoring, testing, and improving IT controls—often collaborating with external auditors to support the overall control environment.

Key Term: IT general controls
Policies and procedures that apply broadly across IT systems, supporting overall system integrity and reliability.

Key Term: IT application controls
Automated or manual procedures that apply to specific software applications to ensure completeness, accuracy, authorization, and validity of processed data.

IT General Controls

IT general controls (ITGCs) form the basis for all computerized systems within an organization. Unless these controls operate effectively, specific application controls may not be reliable, as the core system could be compromised.

Common types of IT general controls

  • Access controls: Restricting system and data access to authorized users, enforcing strong passwords, and regularly reviewing user access rights.
  • Change management controls: Ensuring that program and system changes are authorized, tested, and documented before implementation.
  • Backup and recovery controls: Regularly backing up critical data and testing recovery procedures to prevent data loss.
  • Physical security controls: Protecting physical IT assets (e.g., servers, backup media) from theft, damage, or unauthorized access.
  • IT operations controls: Monitoring batch processing, system jobs, and resolution of system errors.

Effective ITGCs help prevent unauthorized changes, fraud, or data loss that could undermine the reliability of financial records.

Worked Example 1.1

An audit team tests the backup and recovery procedures of a company. They find backups are not performed regularly, and recovery has not been tested in over a year.

Question: What are the risks and what recommendations should the internal auditor provide?

Answer:
The risk is that data may be lost if the system fails, resulting in incomplete or inaccurate financial information. The internal auditor should recommend implementing a documented backup schedule, performing regular test recoveries, and reviewing backup logs to ensure reliability.

IT Application Controls

Application controls are embedded within individual software systems and are designed to ensure that data is processed accurately and only valid transactions are recorded.

Typical IT application controls

  • Input controls: Validate data on entry (e.g., format checks, required fields, range checks).
  • Processing controls: Ensure data is processed as intended, such as batch totals and run-to-run totals.
  • Output controls: Confirm reports or files are complete and directed to authorized users.
  • Reference file maintenance controls: Limit changes to reference data (e.g., supplier details) through authorization and audit logs.

These controls directly address completeness, accuracy, and validity assertions in financial reporting.

Worked Example 1.2

An accounts payable system prevents the same invoice number from being entered twice.

Question: What type of application control is this, and what risk does it address?

Answer:
This is an input control (duplicate check). It helps prevent duplicate payments and overstatement of expenses or liabilities by ensuring each invoice is recorded only once.

The Role of Internal Audit in IT Controls

Internal auditors are responsible for evaluating whether IT general and application controls are properly designed and functioning as intended. They often:

  • Assess the design and implementation of IT controls across the organization.
  • Perform tests of controls, such as reviewing access logs or inspecting audit trails.
  • Report deficiencies and recommend improvements to management and those charged with governance.
  • Collaborate with IT specialists to review complex or technical controls.

Key Term: internal audit
An independent function within an organization that assesses control processes, including those related to IT, and reports findings to management.

Evaluating IT Control Deficiencies

When internal auditors identify weaknesses in IT controls, timely communication to management is required, especially for significant deficiencies that may impact financial reporting or operational effectiveness. Examples of IT control deficiencies include:

  • Weak user access controls, enabling unauthorized data entry or changes.
  • Inadequate change management, leading to untested or unauthorized system updates.
  • Failure to maintain or test system backups.

Recommendations should address the specific weakness, assign responsibility, and suggest monitoring for ongoing effectiveness.

Worked Example 1.3

During a system walkthrough, the auditor observes that users can access payroll data even after leaving the company.

Question: What is the deficiency, and how should it be corrected?

Answer:
The deficiency is a lack of timely user access removal. The control should require formal procedures to promptly deactivate accounts when employees leave and regular review of active user lists.

Exam Warning

Every IT application relies on the basis provided by general controls. Deficient ITGCs (e.g., lack of access restrictions or poor backup controls) can render detailed application controls ineffective. Auditors must consider the impact of ITGC failures before relying on application-level testing.

Testing IT Controls: Audit Procedures

Auditors should select tests appropriate for the assessed risk and control objectives. Typical procedures include:

  • Reviewing system access logs for unauthorized attempts.
  • Inspecting documentation for recent program changes, verifying approval and testing.
  • Observing regular backup processes and reviewing restoration test results.
  • Using test data to simulate transactions and confirm validation checks are enforced.
  • Checking that batch totals and error reports are generated and reviewed.

If deficiencies are identified, auditors may increase substantive testing or recommend remediation.

Summary

IT general controls and application controls together form the backbone of reliable financial processing in computerized environments. Effective ITGCs ensure the environment is secure, while application controls provide specific processing assurance. Internal audit plays a key role in evaluating, testing, and reporting on these controls, helping organizations to maintain the integrity of financial and operational data.

Key Point Checklist

This article has covered the following key knowledge points:

  • Differentiate IT general controls from IT application controls and offer examples of each.
  • Explain the role of both types of controls in supporting reliable financial reporting.
  • Describe how internal audit evaluates and tests IT controls and communicates deficiencies.
  • Identify typical tests auditors perform over IT systems and recognize the impact of IT control weaknesses on audit strategy.

Key Terms and Concepts

  • IT general controls
  • IT application controls
  • internal audit

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.