Additional Contributors
As healthcare organizations increasingly rely on complex information technology (IT) systems to manage financial and patient data, the risks tied to technology have grown more significant. The Statement on Auditing Standards No. 145 (SAS 145) outlines updated audit guidance that emphasizes the need to understand IT environments and assess IT General Controls (ITGCs) as part of risk evaluation. For healthcare entities preparing for audits, staying ahead of these updates is essential to ensure regulatory compliance, protect sensitive data, and support audit readiness. This article highlights the IT-related requirements of SAS 145, explains the role of ITGCs, and outlines how PYA helps healthcare clients strengthen their IT control environment through audit services.
SAS 145 Overview
Issued by the Association of International Certified Professional Accountants, SAS 145: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement updates the standards for how auditors assess the risk of inaccurate information in financial statements. A key feature of this new guidance is a sharpened focus on the role of information technology in an organization’s control environment.
Auditors are now expected to gain a more detailed understanding of how an entity’s IT systems operate, especially those that impact financial reporting, and demonstrate how ITGCs influence risk assessment and audit procedures. This expectation includes identifying and evaluating ITGCs that support the integrity of data and the effectiveness of automated processes.
In the healthcare sector, where financial systems often integrate with electronic health records (EHRs), billing platforms, and other critical applications, these requirements are especially relevant. Healthcare organizations must ensure their IT controls are designed and operating effectively to support accurate reporting, withstand audit scrutiny, and protect sensitive data.
IT General Controls Simplified
ITGCs are controls and policies that support the effective and secure operation of the IT environment by confirming
- Access is permitted to the proper individuals
- Information systems are functioning as intended
- Data is processed in an appropriate manner and amount of time
ITGCs are not designed to directly detect, prevent, or correct material misstatements. Instead, they play a critical role in supporting the integrity, availability, and security of financial data within IT systems.
By ensuring stable and controlled system environments, ITGCs help maintain the accuracy and completeness of system-generated reports and automated controls. This process reduces the risk of unauthorized changes, data loss, and processing errors that could compromise financial reporting.
Risks Arising from Technology Use in Healthcare
Organizations increasingly depend on technology to process financial transactions and manage sensitive data, and without strong IT controls, they may face issues such as unauthorized access to financial systems, inaccurate or incomplete transaction processing, and inappropriate changes to key system configurations.
These risks are often compounded by over-reliance on automated processes without adequate human oversight, which can lead to undetected errors or control failures. To protect data integrity and ensure reliable financial reporting, business leaders must identify and mitigate these risks early, especially in complex IT environments like those found in healthcare.
Key risks in the healthcare environment include
- Unauthorized access to EHRs or protected health information
- Inaccurate patient data or billing information due to system/interface errors
- Uncontrolled or inappropriate changes to EHR systems or clinical applications
- Failure to detect or prevent unauthorized access to medical devices or networked systems
The Value of ITGCs in Healthcare
ITGCs play a foundational role in the evaluation of IT systems, as they directly influence the reliability of data and the effectiveness of automated controls. Poorly designed ITGCs, such as inadequate access controls or ineffective change management, can undermine the integrity of financial information and increase the likelihood of errors or fraud going undetected.
In the context of healthcare, where systems often involve sensitive data and complex integrations, strong ITGCs are essential to maintaining trust in both operational and financial outcomes.
How PYA Can Help
As audit standards evolve to reflect the growing role of technology, understanding and evaluating IT General Controls has become essential, especially under SAS 145. For healthcare organizations, staying ahead of these changes is key to ensuring compliance, mitigating risk, and supporting audit readiness.
At PYA, we understand the complex IT challenges faced by healthcare organizations. We provide tailored audit and advisory services to help clients assess, strengthen, and document their ITGCs. By combining deep audit expertise with technical understanding of healthcare and service organization IT systems, we help our clients reduce risk, meet compliance requirements, and achieve greater confidence in their control environments.
