The use of IT and its complexity have evolved massively over the past decade. The risk that comes with the use of IT and the possibilities to protect IT environments have changed, and frameworks are trying to keep up with the latest best practices in the industries. For example:
- International Organization for Standardization (ISO) 27001 and 27002 were updated in 2022 to include controls such as threat intelligence, data masking and data leakage prevention.
- The Cloud Security Alliance (CSA) STAR Cloud Control Matrix (CCM) was updated in 2021 to include controls related to encryption, data protection and threat protection.
- ISACA’s COBIT® 2019 was published in 2018 as an update to COBIT 5.
- The Service Organization Control (SOC) Type 2 framework was updated in 2017 with a reference to COBIT.
More Focus on IT Within Financial Statements Audits
As IT can have a major impact on the continuity and financial figures of organizations, financial statement auditors must pay more attention to the risk of using IT within organizations. Thus, the International Federation of Accountants (IFAC) made some major updates on the International Standard on Auditing (ISA) 315, and one of the biggest changes is the increased focus on IT, including guidance on IT general controls. Specifically, accountants must consider the risk of using IT within financial statements audits. Therefore, it must be asked, with regard to the IT general controls on the IT assessments accountancy firms perform: are IT general controls outdated?
IT General Controls Deserves an Update
Using a limited set of key controls and tests to cover the biggest risk on IT seems like an appropriate plan. However, the use of IT and its complexity have evolved massively and the list of IT general controls that is used has barely changed. That cannot be right, right?
The way IT works is still the same. Access management, change management and IT operations should not disappear from the field of IT general controls. However, because of the use of Internet-facing applications and application programming interfaces (APIs) to let software cooperate, more risk that can affect data integrity is identified in the field, including fraud.
Frameworks are updated regularly with new controls and criteria, since exploited risk in using IT has a great impact. Similarly, IT general controls should not be a static set of risk and controls to take into consideration. IT general control guidance must be reviewed periodically to evaluate whether the significant risk for financial statements is still covered. Controls should be thought about like performing security assessments and security monitoring, which are necessary for protecting the integrity of data.
Editor’s note: For further insights on this topic, read Jouke Albeda’s recent Journal article, “Are IT General Controls Outdated? Data Protection and Internal Control Over Financial Reporting,” ISACA Journal, volume 6 2022.