내부통제 IT 감사 관련 용어

Glossary

IT application	A set of programs that helps an entity process transactions along the critical paths of SCOTs and significant disclosure processes or produce IPE that is able to be subjected to IT processes and controls. Groups of programs that are relevant to processing data may lack formal IT application names are considered IT applications for our work. Examples of such tools include data transformation programs and interface programs. IT applications do not need business users to be included in scope. Programs written in end user computing tools such as Visual Basic in Microsoft Excel or Microsoft Access may not be designed to be able to be subjected to IT processes and controls and are not IT applications as defined here.
IT environment	IT applications and supporting IT infrastructure, IT processes and personnel involved in the IT process (generally, the IT personnel).
IT processes	The manage change, manage access and manage IT operations processes and related controls management uses to perform the functions of the IT personnel.
IT general controls (ITGCs)	Controls that support the continued functioning of application and IT-dependent manual controls and the production of complete and accurate information produced by the entity.
ITGC operating evaluation	Based on the results of our testing, we make an operating evaluation for each ITGC (i.e., ITGC is effective or Ineffective).
ITGC-reliance strategy	This strategy involves understanding IT processes, the risks within the IT processes, and the IT general controls (ITGCs) that address the risks.
IT-dependent manual (ITDM) controls	Manual controls (usually detect and correct controls) that are dependent upon complete and accurate processing to be fully effective (for example, a review of an IT application-produced open orders report to ensure all sales are invoiced).
IT process evaluation	The ITGC evaluations and any IT-substantive procedures performed are used to form a conclusion about whether each relevant IT process adequately addresses the risks in that process. These evaluations are used to determine the aggregate IT evaluations for application and ITDM controls and to determine the extent of work we need to perform on IPE. The possible IT process evaluations are: ·        Effective – the ITGCs for the IT process functioned effectively throughout the audit period ·        Reliable – IT-substantive procedures were used to address the risks from the use of IT either because that was our original strategy or to address Ineffective ITGCs ·        Ineffective – insufficient effective ITGCs exist and IT-substantive procedures cannot provide sufficient evidence to address the risks
IT-substantive strategy	This strategy involves understanding IT processes, the risks within those processes, and addressing those risks through substantive testing.
IT-substantive procedures	Procedures performed to specifically address IT risks (e.g., obtaining evidence that programmers with access to the production environment did not use that access).
IPE definition program(s)	One or more computer programs that define the information to be included in the information produced by entity and the format (including computations and categorizations) of that information.
Aggregate IT evaluation	The aggregate IT evaluations reflect the effect of the IT process evaluations on each application and ITDM control supported by the in-scope IT application. The possible evaluations are: ·        Support – the related IT process or processes have been evaluated as effective or reliable, i.e., the complete and accurate functioning of the application control or the complete and accurate functioning of the automated portion of the ITDM control is supported by the related IT process or processes ·        Not Support – the related IT process or processes have been evaluated as Ineffective, i.e., the complete and accurate functioning of the application control or the completed and accurate functioning of the automated portion of the ITDM control is not supported by the related IT process or processes
End user computing tools (EUC)	Computer programs available to users that permit the user to have complete control over the information in that tool. Examples of such tools include Microsoft Access, Excel, and Word. Report writers under the control of users would also be considered EUC tools.
Information produced by the entity (IPE)	Any information created by the entity using the entity’s IT applications, end user computing (EUC) tools or other means (including manually prepared information). We encounter IPE when it is used by management in the performance of controls we are testing, when we use IPE as audit evidence for substantive tests, and when we use IPE as a population from which we select items to test. The concepts related to IPE also apply to information produced by service organizations.
Application controls	Application controls are automated actions of the entity’s IT applications that occur without manual intervention and relate to procedures used in the critical path of transactions or other financial data. Application controls help ensure that transactions occurred, are authorized and are completely and accurately recorded and processed. Application controls can be classified as edit checks, validations, calculations, interfaces and authorizations.
Automated controls	Control activities performed mostly or wholly through technology. Automated controls include application and ITDM controls.
Integrated audit of issuers	Audit of an entity’s financial statements and of its internal control over financial reporting (ICFR) in accordance with the auditing standards of the Public Company Accounting Oversight Board (PCAOB).