Effects of IT on Consideration of Internal Control in a Financial Statement Audit

1
Effects of IT on Consideration of Internal
Control in a Financial Statement Audit

• Dr. Donald McConnell Jr.

2
The Following Materials Are from Recently Issued
SAS No. 94. This Information Has a High
Probability of Appearing on the CPA Exam in May
2002 and Thereafter.
3
Introductory Concepts

• In obtaining an understanding of internal control
  IC, the auditor considers how use of
  information technology IT and manual procedures
  may affect controls relevant to the audit
• The auditor must assess control risk for the
  assertions embodied in account balances or
  transaction types (319.02)

4
Assessing Control Risk at Less Than Maximum

• Assessing control risk below maximum is
  ordinarily more effective and efficient than
  performing only substantive tests
• This is called a controls reliance audit
• Controls rely audits characteristically
• Result in relatively lower audit fees
• Allow the auditor to perform more work at interim

5
Assessing Control Risk at Maximum

• In assessing control risk at maximum
• Controls are effectively ignored
• The auditor performs only substantive tests
• However, it may may not be practical or possible
  to restrict detection risk to an acceptable level
  by performing only substantive tests (319.03)
• Where evidence of initiation, recording, or
  processing of data exists only in electronic
  form, the auditors ability to obtain desired
  assurances only from substantive tests
  significantly diminishes

6
Some Controls May Relate to Objectives Irrelevant
to the Audit

• Though important to the entity, these ordinarily
  do not relate to the audit process
• Consequently, these need not be ordinarily
  considered by the auditor
• Examples would include
• Controls concerning management decision-making
  processes, e.g. pricing or capital expenditure
  (cap ex) decisions
• Sophisticated IT controls to maintain an
  airlines flight scheduling (319.12)

7
Characteristics of Manual Systems (311.17)

• Entity uses manual procedures and records in
  paper format
• Mperanually reported sales orders on paper forms
  or journals
• Credit authorization, shipping reports,
  individuals post A/R
• Controls are also manual
• Manual approvals and reviews
• Manual reconciliations and follow-up

8
Characteristics of IT Based Systems (319.17)

• Automated procedures to initiate, record,
  process, and report transactions
• Records in electronic format replace paper
  purchase orders, invoices, shipping documents,
  and other records
• Controls characteristically consist of a
  combination of automated controls (embedded in
  programs) and manual controls
• Manual controls in IT systems may
• Be independent of IT
• Use IT produced information
• Be limited to monitoring of functioning of IT
  effectiveness

9
Benefits of IT on Internal Controls (319.18)

• Consistently applied predefined business rules
  and performance of complex calculations in large
  volumes of data
• Enhanced timeliness, availability, and accuracy
  of information
• Facilitates additional analysis of information
• Enhanced ability to monitor performance of
  activities, policies, and procedures
• Reduced risk of controls circumvention
• Enhanced ability to effectively segregate duties
  through security controls

10
Controls Risks Relating to IT (319.19)

• Systems or programs inaccurately processing data,
  processing inaccurate data, or both
• Unauthorized data access may cause
• Data destruction or loss
• unauthorized or nonexistent transactions
• Inaccurately recorded transactions
• Unauthorized changes to master files
• Unauthorized changes to systems or programs
• Failure to make necessary system or program
  changes
• Inappropriate manual intervention

11
Inherent Limitations of Internal Controls IT
Perspectives (319.21-22)

• Errors may occur in designing, maintaining, or
  monitoring automated controls
• Errors may occur in use of information produced
  by IT
• Program edit routines flagging transactions
  exceeding certain limits may be overridden or
  disabled

12
Extent of Understanding of Controls Activities
Component (311.26)

• May need only be a limited understanding in
  auditing a non complex entity with significant
  owner-manager approval and review
• May require greater understanding for an entity
  with a large volume of revenue transactions
  relying on IT to measure and bill services in a
  complex, changing rate structure

13
Determining Whether an IT Audit Professional Is
Needed (319.30-31)

• Specialized IT skills may be needed in the audit
• To determine effects of IT on the audit
• To understand IT controls
• To design and perform tests of IT controls, and
  substantive testing

14
Factors to Consider in Determining Need for IT
Auditor (319.31-32)

• Complexity of IT system and related controls
• Significance of system changes, or new system
  implementation
• Extent to which data is shared among systems
• Extent of electronic commerce transacted
• Entity use of emerging technologies
• Significance of audit evidence available only
  electronically

15
IT Controls May Be Viewed As Application Controls
and General Controls (319.43-46)

• Application controls apply to processing of
  individual applications
• Examples include edit checks, numerical sequence
  checks and manual review of exception reports
• With manual reviews, controls effectiveness
  depends on both user review and accuracy of
  report information

16
IT Controls May Be Viewed As Application Controls
and General Controls (con.)

• General controls
• Relate to many applications
• Are therefore pervasive controls, supporting
  effective functioning of application controls
• Examples include
• data center and network operations controls
• System software acquisition and maintenance
• Access security
• Segregation of duties often achieved by
  implementing security controls

17
Information and Communication IT Issues
(319.50-51)

• Automated processes controls
• May reduce risk of inadvertent error
• Do not overcome risk of inappropriate override by
  persons
• Their may be little or no visible evidence of
  system intervention
• IT non-standard journal entries
• May exist only in electronic form
• May be more difficult to identify than would be
  the case with printed or paper documents and
  journals

18
Monitoring IT Issues (319.54-55)

• Characteristically much information used in
  monitoring produced by IT system
• Management should not assume data used for
  monitoring is accurate! GIGO
• GIGO can lead to incorrect management conclusions
  concerning monitoring

19
Documenting Controls Understanding (319.61)

• Means for documenting controls of complex IT
  systems where large volumes of data are
  electronically processed
• Flowcharts
• Questionnaires (ICQs)
• Decision tables
• Memorandums may be sufficient in documenting
  controls where little or no use of IT or where
  few transactions are could usuallyprocessed