8/3/2019 An Information Technology Audit

http://slidepdf.com/reader/full/an-information-technology-audit 1/3

IT Auditing Page 1

Imus Institute

College Department 

IT Audit 

Kriza S. Matro

IV-BSA

Mr. Jesus Obaña

Recent Development in IT Audits 

In recent years, information technology (IT) used by firms, large and small, has become increasinglysophisticated and complex. The explosive growth in IT includes computer hardware, databases,

networks, telecommunications, the Internet, extranets, electronic commerce, client/server architecture,

data warehouses, integrated accounting systems software (such as enterprise resource planning

software), automated reasoning systems and neural networks software. The advances in IT have

significantly changed the methods firms employ to gather and report information. Thus, auditors

encounter many IT environments that maintain data on electronic media rather than paper-based

media. Auditors must determine how the firm uses IT systems to initiate, record, process and report

transactions or other financial data. This understanding is necessary to plan the audit and to determine

the nature, timing and extent of tests to be performed to gain a sufficient understanding of internal

controls.

Issuance of SAS No. 94

As a result, it’s rare to find an entity whose IT use does not also affect its independent audi t. Over the

past several years the AICPA Auditing Standards Board (ASB) has given considerable attention to how IT

affects audits. Recently, it issued SAS no. 94, The Effect of Information Technology on the Auditor’s

Consideration of Internal Control in a Financial Statement Audit, which amends SAS no. 55,Consideration

of Internal Control in a Financial Statement Audit. SAS no. 94 provides guidance on the effect of IT on

internal control and on the auditor’s understanding of internal control and assessment of control risk.

SAS No. 94 was recently issued to provide guidance to auditors concerning the proper assessment of 

internal control2 activities in IT systems. The auditing standard states that computer-assisted auditing

8/3/2019 An Information Technology Audit

http://slidepdf.com/reader/full/an-information-technology-audit 2/3

IT Auditing Page 2

techniques (CAATs) are needed to test automated controls in certain types of IT environments. This

paper revisits auditing-through-the-computer techniques, which should become more widely used with

the issuance of SAS No. 94, and focuses on the test data technique, which can be applied in almost any

audit to test automated programmed controls. This technique is relatively easy to apply and does not

require the auditor to have a high degree of computer expertise. An extended illustration of the steps

involved in applying this technique is presented.

SAS no. 94 is not intended to apply to the audits of only very large organizations with sophisticated IT

systems since such technology may affect the audit of any size business, and its impact on internal

control is related more to the nature and complexity of the systems in use than to the entity’s size. 

Some of the significant aspects of the new guidance that are discussed individually below are

How IT affects internal control.

The auditor’s consideration of IT. Types of IT controls that are important to the audit.

The auditor’s use of individuals with specialized skills. 

The auditor’s understanding of the financial reporting process.  

THE AUDITOR’S CONSIDERATION OF IT 

SAS no. 94 does not change SAS no. 55’s requirement that the auditor obtain a sufficient understanding

of internal control to plan the audit. However, it raises the bar by requiring the auditor to consider how

an organization’s IT use affects his or her audit strategy. A key aspect of this strategy is the auditor’s

decision on whether to design and perform tests of controls or to assess control risk at a maximum level

and perform only substantive tests. The new SAS says an auditor who plans to perform only substantive

tests needs to be satisfied such an approach will be effective.

Where a significant amount of information supporting one or more financial statement assertions is

electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable

level by performing only substantive tests for one or more financial statement assertions. In such cases,

the auditor should gather evidence about the effectiveness of both the design and operation of controls

intended to reduce the assessed level of control risk.

The guidance recognizes that an entity’s reliance on IT may be so significant that the quality of the audit

evidence available will depend on the controls the business maintains over its accuracy and

completeness. The statement provides two examples in which substantive tests alone generally would

not be sufficient. The growing use of IT to perform all aspects of a transaction results in organizations’

8/3/2019 An Information Technology Audit

http://slidepdf.com/reader/full/an-information-technology-audit 3/3

IT Auditing Page 3

relying more on IT systems and the controls over such transactions. It also means that auditors should

consider, in conducting an audit, whether the controls are operating effectively to provide reasonable

assurance that the related assertions (for example, that the transactions actually occurred and were

properly recorded and valued) are not materially misstated.

SAS NO. 94 AND THE TEST OF CONTROLS

Under the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior

to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only

substantive tests of account balances and classes of transactions to gather evidence about financial

statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT

environments. When evidence of a firm's initiation, recording and processing of transactions exists onlyin electronic form, the auditor's ability to obtain the desired assurance only from substantive tests is

significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on

significant amounts, but states that "it is not practical or possible to restrict detection risk to an

acceptable level by performing only substantive tests."3 When assessing the effectiveness of the design

and operation of controls in complex IT environments, it is necessary for the auditor to test these

controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT

environment.

SPECIALIZED SKILLS 

SAS no. 94 says an auditor might need specialized skills to determine the effect of IT on the audit, to

understand IT controls or to design and perform tests of IT controls and substantive tests. In some

instances he or she might have to get help from someone who has such skills. The statement includes a

number of factors the auditor might use to determine whether such skills are required, as well as the

specific procedures someone with those skills might perform. An auditor who uses someone with IT

skills should follow the guidance in AU section 311.10, “Planning and Supervision.” As a member of the

audit engagement team, that individual requires the same degree of supervision and review as any

assistant.