Tommie Singleton

IT General Controls and Assurance Services

Associated role and risks revealed.

July 18, 2011
by Tommie Singleton, CPA.CITP

IT General Controls (ITGC) have become increasing important with both the ubiquitous use of computers and technology and the advent of certain risk-based approach (RBA) technical standards. For instance, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard 2 (AS-2), superseded by AS-5. The AICPA adopted the risk-based standards (SAS No. 104-111) that are also relevant. Together, these facts make audit procedures and evaluation of ITGC a vital component of most assurance services since 2007.

It is important to adequately identify and address the specific risks that IT introduces into the relevant reporting processes, controls and data associated with the assurance service being provided. Part of that risk emanates indirectly from ITGC.

Reader Note: Don’t miss Tommie Singleton’s session at the upcoming AICPA E.D.G.E. Conference in New Orleans, LA, August 10-12.

ITGCs include IT risks associated with areas such as the IT environment (e.g., managing the IT function), change management (changes to hardware, software and other technologies), access controls (especially logical access controls), data backup and recovery and third-party providers (specifically IT-related service providers).

One of the key factors about ITGC is the relevance it has on the assurance of automated controls, such as those involved with Sarbanes-Oxley Section 404 audits (i.e., AS5 audits). The simple truth is the assurance of automated controls is usually related directly to the assurance of the ITGC surrounding the design, implementation and operation of that automated control. This stems from the fact that the relevant ITGCs provide the environment from which the automated controls are designed, implemented and operated. In fact, AICPA standards state the auditor CANNOT rely on automated controls unless the ITGC are relatively reliable (i.e. no material weaknesses in the ITGC). Thus significant deficiencies (SD) or material weaknesses (MW) in the ITGC do directly impact the degree and scope of IT risks associated with automated controls.

In addition, there are IT risks associated with almost all entities in its ITGC environment that need to be identified, evaluated and assessed in relation to assurance, audit procedures and assurance risk (e.g., audit risk in a financial audit). For instance, it is fairly common for entities to “dump” data from a financial system to an electronic spreadsheet from which transactions are calculated (e.g., depreciation, closing) or actually posted to the General Ledger (GL). In this particular case, ITGCs are extremely important in gaining assurance over errors or fraud associated with the financial reporting process and associated data.


A major point regarding ITGC is the need to properly scope and address IT risks. That is, the assurance service CPA team should not overlook a relevant IT risk that could lead to the risk of material misstatement (or other assurance objective) and the team should not include IT risks that are unrelated to the audit objectives. This “fine line” of proper scoping of IT risks is not intuitive to the untrained CPA. Therefore, firms providing assurance services should make sure its audit staff understand ITGC; its role, its inherent risk and its influence on assurance risk (e.g., RMM).

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Tommie Singleton, Ph.D., CPA (inactive), CISA, CITP, CFF, CGEIT, is associate professor of Accounting at the University of Alabama at Birmingham, where he is also director of the Forensic Accounting Program and Marshall Scholar and serves as the program chair for AICPA IT Audit Training School in 2011.