Upload
mark-allan-diaz-flores
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 An Information Technology Audit
http://slidepdf.com/reader/full/an-information-technology-audit 1/3
IT Auditing Page 1
Imus Institute
College Department
IT Audit
Kriza S. Matro
IV-BSA
Mr. Jesus Obaña
Recent Development in IT Audits
In recent years, information technology (IT) used by firms, large and small, has become increasinglysophisticated and complex. The explosive growth in IT includes computer hardware, databases,
networks, telecommunications, the Internet, extranets, electronic commerce, client/server architecture,
data warehouses, integrated accounting systems software (such as enterprise resource planning
software), automated reasoning systems and neural networks software. The advances in IT have
significantly changed the methods firms employ to gather and report information. Thus, auditors
encounter many IT environments that maintain data on electronic media rather than paper-based
media. Auditors must determine how the firm uses IT systems to initiate, record, process and report
transactions or other financial data. This understanding is necessary to plan the audit and to determine
the nature, timing and extent of tests to be performed to gain a sufficient understanding of internal
controls.
Issuance of SAS No. 94
As a result, it’s rare to find an entity whose IT use does not also affect its independent audi t. Over the
past several years the AICPA Auditing Standards Board (ASB) has given considerable attention to how IT
affects audits. Recently, it issued SAS no. 94, The Effect of Information Technology on the Auditor’s
Consideration of Internal Control in a Financial Statement Audit, which amends SAS no. 55,Consideration
of Internal Control in a Financial Statement Audit. SAS no. 94 provides guidance on the effect of IT on
internal control and on the auditor’s understanding of internal control and assessment of control risk.
SAS No. 94 was recently issued to provide guidance to auditors concerning the proper assessment of
internal control2 activities in IT systems. The auditing standard states that computer-assisted auditing
8/3/2019 An Information Technology Audit
http://slidepdf.com/reader/full/an-information-technology-audit 2/3
IT Auditing Page 2
techniques (CAATs) are needed to test automated controls in certain types of IT environments. This
paper revisits auditing-through-the-computer techniques, which should become more widely used with
the issuance of SAS No. 94, and focuses on the test data technique, which can be applied in almost any
audit to test automated programmed controls. This technique is relatively easy to apply and does not
require the auditor to have a high degree of computer expertise. An extended illustration of the steps
involved in applying this technique is presented.
SAS no. 94 is not intended to apply to the audits of only very large organizations with sophisticated IT
systems since such technology may affect the audit of any size business, and its impact on internal
control is related more to the nature and complexity of the systems in use than to the entity’s size.
Some of the significant aspects of the new guidance that are discussed individually below are
How IT affects internal control.
The auditor’s consideration of IT. Types of IT controls that are important to the audit.
The auditor’s use of individuals with specialized skills.
The auditor’s understanding of the financial reporting process.
THE AUDITOR’S CONSIDERATION OF IT
SAS no. 94 does not change SAS no. 55’s requirement that the auditor obtain a sufficient understanding
of internal control to plan the audit. However, it raises the bar by requiring the auditor to consider how
an organization’s IT use affects his or her audit strategy. A key aspect of this strategy is the auditor’s
decision on whether to design and perform tests of controls or to assess control risk at a maximum level
and perform only substantive tests. The new SAS says an auditor who plans to perform only substantive
tests needs to be satisfied such an approach will be effective.
Where a significant amount of information supporting one or more financial statement assertions is
electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable
level by performing only substantive tests for one or more financial statement assertions. In such cases,
the auditor should gather evidence about the effectiveness of both the design and operation of controls
intended to reduce the assessed level of control risk.
The guidance recognizes that an entity’s reliance on IT may be so significant that the quality of the audit
evidence available will depend on the controls the business maintains over its accuracy and
completeness. The statement provides two examples in which substantive tests alone generally would
not be sufficient. The growing use of IT to perform all aspects of a transaction results in organizations’
8/3/2019 An Information Technology Audit
http://slidepdf.com/reader/full/an-information-technology-audit 3/3
IT Auditing Page 3
relying more on IT systems and the controls over such transactions. It also means that auditors should
consider, in conducting an audit, whether the controls are operating effectively to provide reasonable
assurance that the related assertions (for example, that the transactions actually occurred and were
properly recorded and valued) are not materially misstated.
SAS NO. 94 AND THE TEST OF CONTROLS
Under the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior
to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only
substantive tests of account balances and classes of transactions to gather evidence about financial
statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT
environments. When evidence of a firm's initiation, recording and processing of transactions exists onlyin electronic form, the auditor's ability to obtain the desired assurance only from substantive tests is
significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on
significant amounts, but states that "it is not practical or possible to restrict detection risk to an
acceptable level by performing only substantive tests."3 When assessing the effectiveness of the design
and operation of controls in complex IT environments, it is necessary for the auditor to test these
controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT
environment.
SPECIALIZED SKILLS
SAS no. 94 says an auditor might need specialized skills to determine the effect of IT on the audit, to
understand IT controls or to design and perform tests of IT controls and substantive tests. In some
instances he or she might have to get help from someone who has such skills. The statement includes a
number of factors the auditor might use to determine whether such skills are required, as well as the
specific procedures someone with those skills might perform. An auditor who uses someone with IT
skills should follow the guidance in AU section 311.10, “Planning and Supervision.” As a member of the
audit engagement team, that individual requires the same degree of supervision and review as any
assistant.