Loic Jegousse, CISA, CISM, CGEIT, CRISC
Application and IT-dependent controls can reduce the overall cost of a controls assessment program provided that the conditions for the test-of-one are met. This is because, usually, the unit cost of testing an application control is less than the unit cost of testing a manual control since it is faster to test a control once than to inspect a number of manual transactions. However, as soon as application controls are deemed in scope, management is also required to assess the effectiveness of the underlying IT general controls (ITGC) environment, which means a fixed (sunk) cost regardless of the number of IT controls. What if those application/IT-dependent controls could be replaced by manual controls? What approach is more cost-effective: automated or manual? For the purposes of this blog post, we will assume that any application/IT-dependent control can be changed into an effective manual control.
Intuitively, there is a break-even point whereby the benefits of application controls testing will compensate for the sunk cost of ITGC testing.
Let us set the following variables, which may be specific to each application system:
- M = Unit cost of testing 1 manual control
- A = Unit cost of testing 1 application/automated control (where A < M)
- GC = Labor cost of testing ITGC, e.g., system development life cycle (SDLC), change control, access control and computer operations. The more complex the IT environment, the greater GC is.
Note that all of the parameters should be expressed in the same unit of measure (hours, men*days, etc.). The equation to determine the break-even point as a function of n is:
n*M = n*A + GC, which gives:
n = GC/(M - A)
Let us practice an example in which ITGC are effective with M = 20 hours, A = 8 hours, and GC = 80 hours. We calculate n = 80/(20 - 8) = 6.6667, which rounds up to n = 7. This means that it makes business sense to use applications only if management relies on 7 or more application controls. The business case to expand reliance on application/IT-dependent controls (as opposed to manual controls) is compelling, provided that n is greater than 7.
In another example in which ITGC are not effective (which was the focus of the article
), the conditions for the test-of-one are not met. That means that application/IT-dependent controls have to be tested in the same way as manual controls. If we have M = 20 hours, A = 19 hours and GC = 80 hours, we would find n
= 80/(20 - 19) = 80, which is very high. Therefore, when ITGC are not effective, it is hard to support the business case of relying on application controls. This is due to the double whammy caused by ITGC testing and inefficiencies in the testing of application controls, which do not meet the test-of-one criteria. This is why it can make business sense to rely more on manual controls in an instance in which IT assurance is minimal (as detailed in the article
Read Loic Jegousse’s recent Journal article: