Title: Effects of IT on Consideration of Internal Control in a Financial Statement Audit
1Effects of IT on Consideration of Internal
Control in a Financial Statement Audit
2The Following Materials Are from Recently Issued
SAS No. 94. This Information Has a High
Probability of Appearing on the CPA Exam in May
2002 and Thereafter.
3Introductory Concepts
- In obtaining an understanding of internal control
IC, the auditor considers how use of
information technology IT and manual procedures
may affect controls relevant to the audit - The auditor must assess control risk for the
assertions embodied in account balances or
transaction types (319.02)
4Assessing Control Risk at Less Than Maximum
- Assessing control risk below maximum is
ordinarily more effective and efficient than
performing only substantive tests - This is called a controls reliance audit
- Controls rely audits characteristically
- Result in relatively lower audit fees
- Allow the auditor to perform more work at interim
5Assessing Control Risk at Maximum
- In assessing control risk at maximum
- Controls are effectively ignored
- The auditor performs only substantive tests
- However, it may may not be practical or possible
to restrict detection risk to an acceptable level
by performing only substantive tests (319.03) - Where evidence of initiation, recording, or
processing of data exists only in electronic
form, the auditors ability to obtain desired
assurances only from substantive tests
significantly diminishes
6Some Controls May Relate to Objectives Irrelevant
to the Audit
- Though important to the entity, these ordinarily
do not relate to the audit process - Consequently, these need not be ordinarily
considered by the auditor - Examples would include
- Controls concerning management decision-making
processes, e.g. pricing or capital expenditure
(cap ex) decisions - Sophisticated IT controls to maintain an
airlines flight scheduling (319.12)
7Characteristics of Manual Systems (311.17)
- Entity uses manual procedures and records in
paper format - Mperanually reported sales orders on paper forms
or journals - Credit authorization, shipping reports,
individuals post A/R - Controls are also manual
- Manual approvals and reviews
- Manual reconciliations and follow-up
8Characteristics of IT Based Systems (319.17)
- Automated procedures to initiate, record,
process, and report transactions - Records in electronic format replace paper
purchase orders, invoices, shipping documents,
and other records - Controls characteristically consist of a
combination of automated controls (embedded in
programs) and manual controls - Manual controls in IT systems may
- Be independent of IT
- Use IT produced information
- Be limited to monitoring of functioning of IT
effectiveness
9Benefits of IT on Internal Controls (319.18)
- Consistently applied predefined business rules
and performance of complex calculations in large
volumes of data - Enhanced timeliness, availability, and accuracy
of information - Facilitates additional analysis of information
- Enhanced ability to monitor performance of
activities, policies, and procedures - Reduced risk of controls circumvention
- Enhanced ability to effectively segregate duties
through security controls
10Controls Risks Relating to IT (319.19)
- Systems or programs inaccurately processing data,
processing inaccurate data, or both - Unauthorized data access may cause
- Data destruction or loss
- unauthorized or nonexistent transactions
- Inaccurately recorded transactions
- Unauthorized changes to master files
- Unauthorized changes to systems or programs
- Failure to make necessary system or program
changes - Inappropriate manual intervention
11Inherent Limitations of Internal Controls IT
Perspectives (319.21-22)
- Errors may occur in designing, maintaining, or
monitoring automated controls - Errors may occur in use of information produced
by IT - Program edit routines flagging transactions
exceeding certain limits may be overridden or
disabled
12Extent of Understanding of Controls Activities
Component (311.26)
- May need only be a limited understanding in
auditing a non complex entity with significant
owner-manager approval and review - May require greater understanding for an entity
with a large volume of revenue transactions
relying on IT to measure and bill services in a
complex, changing rate structure
13Determining Whether an IT Audit Professional Is
Needed (319.30-31)
- Specialized IT skills may be needed in the audit
- To determine effects of IT on the audit
- To understand IT controls
- To design and perform tests of IT controls, and
substantive testing
14Factors to Consider in Determining Need for IT
Auditor (319.31-32)
- Complexity of IT system and related controls
- Significance of system changes, or new system
implementation - Extent to which data is shared among systems
- Extent of electronic commerce transacted
- Entity use of emerging technologies
- Significance of audit evidence available only
electronically
15IT Controls May Be Viewed As Application Controls
and General Controls (319.43-46)
- Application controls apply to processing of
individual applications - Examples include edit checks, numerical sequence
checks and manual review of exception reports - With manual reviews, controls effectiveness
depends on both user review and accuracy of
report information
16IT Controls May Be Viewed As Application Controls
and General Controls (con.)
- General controls
- Relate to many applications
- Are therefore pervasive controls, supporting
effective functioning of application controls - Examples include
- data center and network operations controls
- System software acquisition and maintenance
- Access security
- Segregation of duties often achieved by
implementing security controls
17Information and Communication IT Issues
(319.50-51)
- Automated processes controls
- May reduce risk of inadvertent error
- Do not overcome risk of inappropriate override by
persons - Their may be little or no visible evidence of
system intervention - IT non-standard journal entries
- May exist only in electronic form
- May be more difficult to identify than would be
the case with printed or paper documents and
journals
18Monitoring IT Issues (319.54-55)
- Characteristically much information used in
monitoring produced by IT system - Management should not assume data used for
monitoring is accurate! GIGO - GIGO can lead to incorrect management conclusions
concerning monitoring
19Documenting Controls Understanding (319.61)
- Means for documenting controls of complex IT
systems where large volumes of data are
electronically processed - Flowcharts
- Questionnaires (ICQs)
- Decision tables
- Memorandums may be sufficient in documenting
controls where little or no use of IT or where
few transactions are could usuallyprocessed