| A53. | An entity's system of internal control contains manual elements and often contains automated elements. The characteristics of manual or automated elements are relevant to the auditor's risk assessment and further audit procedures based thereon. |
| A54. | The use of manual or automated elements in internal control also affects the manner in which transactions are initiated, recorded, processed, and reported: |
| Controls in a manual system may include such procedures as approvals and reviews of transactions, and reconciliations and follow-up of reconciling items. Alternatively, an entity may use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace paper documents. |
| Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT. |
| An entity's mix of manual and automated elements in internal control varies with the nature and complexity of the entity's use of IT. |
| A55. | Generally, IT benefits an entity's internal control by enabling an entity to: |
| Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data; |
| Enhance the timeliness, availability, and accuracy of information; |
| Facilitate the additional analysis of information; |
| Enhance the ability to monitor the performance of the entity's activities and its policies and procedures; |
| Reduce the risk that controls will be circumvented; and |
| Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. |
| A56. | IT also poses specific risks to an entity's internal control, including, for example: |
| Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. |
| Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. |
| The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. |
| Unauthorized changes to data in master files. |
| Unauthorized changes to systems or programs. |
| Failure to make necessary changes to systems or programs. |
| Inappropriate manual intervention. |
| Potential loss of data or inability to access data as required. |
| A57. | Manual elements in internal control may be more suitable where judgment and discretion are required such as for the following circumstances: |
| Large, unusual or non-recurring transactions. |
| Circumstances where errors are difficult to define, anticipate or predict. |
| In changing circumstances that require a control response outside the scope of an existing automated control. |
| In monitoring the effectiveness of automated controls. |
| A58. | Manual elements in internal control may be less reliable than automated elements because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed. Manual control elements may be less suitable for the following circumstances: |
| High volume or recurring transactions, or in situations where errors that can be anticipated or predicted can be prevented, or detected and corrected, by control parameters that are automated. |
| Control activities where the specific ways to perform the control can be adequately designed and automated. |
| A59. | The extent and nature of the risks to internal control vary depending on the nature and characteristics of the entity's information system. The entity responds to the risks arising from the use of IT or from use of manual elements in internal control by establishing effective controls in light of the characteristics of the entity's information system. |
 |
Licence and copyright | © 2018, LexisNexis Group a division of Reed Elsevier (UK) Ltd. All rights reserved. |